DOD Publishes CMMC NPRM and Guidance

Today, the Department of Defense published a notice of proposed rulemaking (NPRM) in the Federal Register (88 FR 89058-89138) for the “Cybersecurity Maturity Model Certification (CMMC) Program”. This rulemaking would “establish requirements for a comprehensive and scalable assessment mechanism to ensure defense contractors and subcontractors have, as part of the Cybersecurity Maturity Model Certification (CMMC) Program, implemented required security measures to expand application of existing security requirements for Federal Contract Information (FCI) and add new Controlled Unclassified Information (CUI) security requirements for certain priority programs”. Separately, the DOD published a notice in the Federal Register (88 FR 89139-89140) that provides links to a series of guidance documents that would support the CMMC.

This rulemaking would modify the current CMMC program established by an interim final rule in September 2020. This new version (CMMC 2.0) would have three key features:

• Tiered model,

• Assessment requirement, and

• Implementation through contracts.

Tiered Model

This NPRM would establish a three-tiered model for the CMMC. Once the CMMC is fully established, new DOD contracts will specify which CMMC tier level requirements a contractor must meet to be awarded the contract. Each Tier level would come with specific cybersecurity self-assessment requirements.

CMMC Level 1 – Contractors would be required to implement the existing 15 security requirements currently required by the FAR clause 52.204–21. Contractors would be required to annually conduct a self-assessment that all of those security requirements have been implemented, and enter a score into the Supplier Performance Risk System (SPRS). A senior official from the prime contractor and any applicable subcontractor will be required to annually affirm continuing compliance with the specified security requirements.

CMMC Level 2 - Contractors would be required to implement the existing 15 security requirements currently required by the FAR clause 252.204–7012 (which is aligned with NIST SP 800–171 Rev 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations). Contractors would be required to either conduct a self-assessment that all of those security requirements have been implemented, or undergo a 3^rd party assessment. In either case, the resulting score would be entered into the Supplier Performance Risk System (SPRS). Selected requirements are allowed to have a Plan of Action and Milestones (POA&M) that must be closed out within 180 days of the assessment. A senior official from the prime contractor and any applicable subcontractor will be required to annually affirm continuing compliance (including POA&M closeout) with the specified security requirements.

CMMC Level 3 – In addition to meeting Tier 2 requirements, contractors would also have to comply with 24 selected security requirements from NIST SP 800–172, Enhanced Security Requirements for Protecting Controlled Unclassified Information). Compliance with those requirements would be assessed by DOD. Selected requirements are allowed to have a Plan of Action and Milestones (POA&M) that must be closed out within 180 days of the assessment. A senior official from the prime contractor and any applicable subcontractor will be required to annually affirm continuing compliance (including POA&M closeout) with the specified security requirements.

To determine which CMMC level requirements apply, the rule provides the following ‘scoping’ requirements:

• CMMC Level 1 - Section 170.19(b),

• CMMC Level 2 - Section 170.19(c), and

• CMMC Level 3 - Section 170.19(d)

Comments from Interim Final Rule

In the preamble to this rule, DOD looks at comments that it received when the IFR was published and discusses how those comments are addressed in this NPRM. Topic areas include:

• Service providers,

• Joint ventures,

• IT and OT,

• Government furnished equipment,

• Fundamental research,

• Foreign DIB partners,

• Marking and identifying CUI,

• Relationship of FCI and CYI to CMMC requirements,

• Assistance and support for small business,

• Impact of cost,

• Alternative implementation,

• Disputes regarding CMMC assessments,

• Acceptance of alternate standards,

• CMMC assessment scope,

• Applicability of multiple CMMC levels,

• CMMC schedule,

• CMMC pilot,

• Communicating CMMC requirements,

• Market capacity for assessments,

• Certification sustainment during validity period,

• CMMC assessment timeline,

• Assessment delays and award impact,

• Contractor and subcontractor engagement,

• C3PAO consistency,

• CMMC cost impacts,

• CMMC cost burden,

• CMMC cost effectiveness and alternatives,

• CMMC level requirement selection,

• Model standard, CMMC levels, and model updates,

• CMMC requirements,

• CMMC assessments,

• The accreditation body and C3PAO,

• Relationship to existing regulations,

• Phase-out of existing cybersecurity requirements, and

• Applicability

Public Comments

The DOD is soliciting public comments on this NPRM. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # DoD-2023-OS-0063. Comments should be submitted by February 26^th, 2024. I suspect that efforts will be made to get DOD to extend the comment period because of the holidays.