Department of Defense Issues Final CMMC Rule

On October 11, 2024, the Department of Defense (“DoD”) issued the first part of its final rule establishing the Cybersecurity Maturity Model Certification (“CMMC”) program. As expected, the final rule requires companies entrusted with national security information to implement cybersecurity standards at progressively advanced levels, (CMMC level 1, CMMC level 2, and CMMC level 3) depending on the type and sensitivity of the information. While the final rule largely tracks the proposed rule issued in December 2023, we outline below several notable updates DoD included in the final rule and their potential impacts on DoD contractors.

Updated Implementation Timeline

DoD extended the timeline for CMMC implementation. DoD will now roll out the CMMC program in a four-phased approach:

  • Phase 1 will begin in early to mid-2025 when DoD finalizes the second part of its CMMC rule under 48 C.F.R. Part 204. Once that rule is finalized, DoD will begin including CMMC level 1 and CMMC level 2 self-assessment requirements in new solicitations. That is, while DoD contractors will not need to obtain a CMMC certification by Phase 1, they will need to self-assess and affirm compliance with CMMC level 1 and/or level 2 security requirements when competing for new DoD contracts.
  • Phase 2 will begin one year after the start of Phase 1 (~early to mid-2026). During Phase 2, DoD will begin including CMMC level 2 certification requirements in applicable solicitations. Contractors who expect to bid on solicitations requiring a CMMC level 2 certification should plan to obtain that certification by early 2026 to avoid losing out on DoD opportunities.
  • Phase 3 will begin one year after the start of Phase 2 (~early to mid-2027). During Phase 3, DoD will begin requiring contractors to meet the CMMC level 2 certification requirements as a condition to exercise option periods on applicable contracts awarded after the effective date of the CMMC rule. DoD will also begin including CMMC Level 3 requirement in applicable solicitations.
  • Phase 4 will begin one year after the start of Phase 3 (~early to mid-2028). During Phase 4, DoD will include CMMC program requirements in all applicable CMMC solicitations and as a condition to exercise option periods on applicable contracts regardless of when they were awarded.

Narrower Assessment Scope for Security Protection Assets

The final rule narrows the assessment scope for contractors’ Security Protection Assets (“SPA”). Under the proposed rule, certain contractor assets that provide security functions or capabilities (i.e., SPAs) for the protection of controlled unclassified information (“CUI”) had to meet all security requirements of CMMC level 2. The final rule reduces that assessment scope so now SPAs only need to be assessed against “relevant” security requirements. This change should reduce the regulatory burden on contractors because they will no longer need to show how SPAs meet CMMC security requirements that are not applicable to the SPAs being assessed.

External Service and Cloud Service Providers

The final rule provides greater clarity as to when External Service Providers (“ESPs”) are within the scope of a contractor’s CMMC assessment. Under the final rule, if an ESP deals with CUI, then it must be assessed against all CMMC level 2 security requirements and must obtain a CMMC level 2 assessment or certification. By contrast, ESPs that only deal with security protection data (“SPD”)—data used to protect a contractor’s assessed environment—are subject to a more limited assessment and do not require a full CMMC level 2 assessment or certification. A service provider that does not deal with CUI or SPD does not meet the CMMC definition of ESP and presumably is outside the scope of any CMMC assessment.

For Cloud Service Providers (“CSPs”) dealing with CUI, the final rule tracks current DoD security requirements, which require CSPs to meet security requirements equivalent to the FedRAMP moderate baseline. Like with ESPs, CSPs that only deal with SPD are subject to a more limited assessment and CSPs that do not deal with CUI or SPD are outside of the CMMC scope.

© 2024 Blank Rome LLP by: Michael J. Montalbano of Blank Rome LLP For more news on the Department of Defense CMMC Rule, visit the NLR Government Contracts, Maritime, and Military section.

  • Related Posts

    Tax and Disclosure Considerations Related to Executive Security Benefits

    Key Takeaways Executives and companies may deduct the cost of security benefits that meet certain requirements under the Treasury Regulations Public companies are generally required to disclose the cost of…

    Congress Passes Defense Bill with AI Provisions — AI: The Washington Report

    On December 18, Congress passed the FY 2025 National Defense Authorization Act (NDAA), which includes a number of AI provisions. The NDAA is expected to be signed into law by…

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    You Missed

    Dow Jones Today: Tesla, Supermicro Lead Stocks Higher to Kick Off Santa Claus Rally

    • By admin
    • December 24, 2024
    • 7 views
    Dow Jones Today: Tesla, Supermicro Lead Stocks Higher to Kick Off Santa Claus Rally

    Tax and Disclosure Considerations Related to Executive Security Benefits

    • By admin
    • December 23, 2024
    • 7 views
    Tax and Disclosure Considerations Related to Executive Security Benefits

    Dow Jones Today: Dow Dips as Chip Stocks Lead Nasdaq Higher; Eli Lilly Rises

    • By admin
    • December 23, 2024
    • 7 views

    Congress Passes Defense Bill with AI Provisions — AI: The Washington Report

    • By admin
    • December 22, 2024
    • 10 views
    Congress Passes Defense Bill with AI Provisions — AI: The Washington Report

    Why People on TikTok Are Slathering Their Face with Beef Tallow

    • By admin
    • December 21, 2024
    • 11 views
    Why People on TikTok Are Slathering Their Face with Beef Tallow

    Meat Substitutes Linked to 42% Higher Depression Risk in Vegetarians

    • By admin
    • December 21, 2024
    • 10 views
    Meat Substitutes Linked to 42% Higher Depression Risk in Vegetarians