Alston & Bird Privacy, Cyber & Data Strategy Blog

Summary of Changes from DoD CMMC Proposed Rule to Final Rule

By , , and

On October 11, 2024, the Department of Defense (“DoD”) issued its Final Program Rule for the Cybersecurity Maturity Model Certification (“CMMC”) Program. The Final Rule is a signal to federal contractors to develop compliance programs pertaining to CMMC in advance of the implementation of CMMC (likely next year).

The CMMC program is designed to ensure that federal contract information (“FCI”) and Controlled Unclassified Information (“CUI”) are sufficiently protected by government contractors.  For example, the CMMC program requires that federal contractors who handle CUI comply with the 110 controls contained in National Institute of Standards & Technology Special Publication 800-171A (“NIST 800-171”), obtain third-party assessments of the same, and verify their compliance with the standard.

The Final Program Rule does not immediately require CMMC compliance in DoD contracts. Rather, the implementation of CMMC in DoD contracts is tied to the so-called “CMMC Clause Rule” (available here), which is a proposed rule that will likely be finalized sometime next year. Contractors can use this time to prepare for CMMC compliance and engage third-party CMMC Certified Third-Party Assessment Organizations (C3PAOs) to assess their compliance.

Changes in the Final Program Rule

The Final Program Rule largely reflects the Proposed Program Rule that the DoD released in December 2023. However, the DoD made several notable revisions in the Final Program Rule, which include:

Phased Implementation Schedule

  • The CMMC rule establishes a phased approach for compliance. The Final Program Rule is broken down into four phases.
    • In Phase 1, which begins on the effective date of the CMMC Clause Rule:
      • DoD can begin to condition awards of relevant DoD solicitations and contracts on the completion of Level 1 or Level 2 self-assessments.
        • Level 1 requires contractors that process, store, or transfer FCI to comply with the fifteen cybersecurity standards in the FAR “Basic Safeguarding Contractor Information Systems” clause and submit an annual self-assessment of their CMMC compliance.
        • Level 2 self-assessment requires contractors that handle CUI to comply with the 110 controls in revision 2 of the NIST’s Special Publication 800-171.
          • There are two subsets of contractors within Level 2. The majority of contractors in this level will need to have their compliance verified by outside assessors known as CMMC Third-Party Assessor Organizations (“C3PAO”). However, the remaining contractors within Level 2 will be able to self-verify CMMC compliance. The DoD, at its discretion, may require contractors who fall under the self-assessment category to still be verified by a C3PAO.
        • DoD can also assert similar requirements through its exercise of options in active DoD contracts.
        • DoD can include Level 2 C3PAO assessment requirements instead of Level 2 self-assessment requirements in relevant DoD solicitations and contracts.
  • Phase 2: Begins one year following the effective date of the CMMC Clause Rule.
    • DoD can begin to condition awards of relevant DoD solicitations and contracts on Level 2 C3PAO assessment requirements.
    • DoD can also include Level 3 DIBCAC assessment requirements in these solicitations and contracts.
      • To satisfy the requirements of Level 3, contractors must meet all the requirements of Level 2 in addition to meeting twenty-four additional requirements from NIST SP 800-172. DIBCAC assessors will completely review these additional twenty-four requirements and will also conduct limited checks of the additional 110 requirements from NIST SP 800-171.
  • Phase 3: Begins two years following the effective date of the CMMC Clause Rule.
    • DoD can begin to include Level 2 C3PAO assessment requirements through its exercise of options in active DoD contracts.
  • Phase 4: Begins three years following the effective date of the CMMC Clause Rule.
    • CMMC Program requirements will be required for all DoD solicitations and contracts three years following the effective date of the CMMC Clause Rule. This will include option periods for contracts awarded prior to Phase 4.

The Final Program Rule Clarifies Requirements for Cloud Service Providers (“CSPs”) and External Service Providers (“ESPs”):

  • CSPs who handle CUI must obtain FedRAMP Moderate authorization or meet equivalent security requirements.
  • ESPs that are not CSPs that handle CUI are not required to obtain CMMC certification. However, their services will be assessed as part of the contractor’s CMMC assessment.
  • ESPs and CSPs who handle “Security Protection Data” (SPD)—which includes logs, security scans, and security artifacts derived from systems handling CUI—but do not handle CUI are not required to meet FedRAMP requirements. However, their services will also be assessed as part of the contractor’s CMMC assessment.
  • ESPs and CSPs who do not handle CUI or SPD are not subject to assessment requirements. However, their services may need to be documented in the contractor’s system security plan (SSP).

DIBCAC Authority to Audit Assessment Result

  • The Defense Industrial Base Cybersecurity Assessment Center (“DIBCAC”) is a team of technology professionals that assesses DoD contractors’ compliance with cybersecurity standards.
  • The Final Program Rule expands on the DIBCAC’s ability to review contractors despite their CMMC status. If the DIBCAC conducts an audit of a contractor’s cybersecurity practices, and the DIBCAC’s findings differ from the contractor’s self-assessment or even a C3PAO-reported status, the DIBCAC’s findings take precedent.
  • Further, the DIBCAC can independently update DoD’s Supplier Performance Risk System (“SPRS”) to indicate that the contractor does not meet the CMMC requirements. If the DIBCAC finds a contractor is noncompliant with CMMC requirements, the contractor could potentially face contractual penalties.

Plan of Action and Milestone (“POAM”) Requirement Revisions

  • A CMMC POAM is a document that outlines how an organization will address and remediate cybersecurity deficiencies identified during a CMMC assessment.
  • The Final Program Rule updated the CMMC Level 2 list of controls that cannot have a POAM, which now includes a control that requires the development of an SSP.
  • The practical effect of this revision is that organizations are required to have an SSP prior to seeking CMMC certification.

 

 

LinkedIn
Avatar photo

About Kim Peretti

A former DOJ cybercrime prosecutor and former director of PwC's cyber forensics group, Kim delivers top of the line cyber risk management and information security counsel to her clients. As co-leader of our Privacy, Cyber & Data Strategy Team, Kim is recognized by select publications and is frequently quoted by the media.

[Read Bio]

Avatar photo

About Andrew Liebler

Andrew Liebler is a senior associate with Alston & Bird’s Litigation & Trial Practice Group. Andrew focuses his practice on health care, privacy, antitrust, and complex commercial litigation.

[Read Bio]

Avatar photo

About Lance Taubin

Lance Taubin is a senior associate with Alston & Bird’s Privacy, Cyber & Data Strategy team. He advises clients on data privacy and cybersecurity compliance and enforcement, managing cyber risk, breach investigations, and response and transactional diligence.

[Read Bio]

Headshot of Andrew Rice

About Andrew Rice

Drawing on a broad array of experiences, Andrew uses his astute knowledge and unique insights to help clients find solutions to their complex matters.

[Read Bio]

Share to...
BufferCopyFlipboardHacker NewsLineLinkedInMessengerMixPinterestPocketPrintRedditSMSTelegramTumblrVKWhatsAppXingYummly