Department of Defense Issues Final CMMC Rule

On October 11, 2024, the Department of Defense (“DoD”) issued the first part of its final rule establishing the Cybersecurity Maturity Model Certification (“CMMC”) program. As expected, the final rule requires companies entrusted with national security information to implement cybersecurity standards at progressively advanced levels, (CMMC level 1, CMMC level 2, and CMMC level 3) depending on the type and sensitivity of the information. While the final rule largely tracks the proposed rule issued in December 2023, we outline below several notable updates DoD included in the final rule and their potential impacts on DoD contractors.

Updated Implementation Timeline

DoD extended the timeline for CMMC implementation. DoD will now roll out the CMMC program in a four-phased approach:

  • Phase 1 will begin in early to mid-2025 when DoD finalizes the second part of its CMMC rule under 48 C.F.R. Part 204. Once that rule is finalized, DoD will begin including CMMC level 1 and CMMC level 2 self-assessment requirements in new solicitations. That is, while DoD contractors will not need to obtain a CMMC certification by Phase 1, they will need to self-assess and affirm compliance with CMMC level 1 and/or level 2 security requirements when competing for new DoD contracts.
  • Phase 2 will begin one year after the start of Phase 1 (~early to mid-2026). During Phase 2, DoD will begin including CMMC level 2 certification requirements in applicable solicitations. Contractors who expect to bid on solicitations requiring a CMMC level 2 certification should plan to obtain that certification by early 2026 to avoid losing out on DoD opportunities.
  • Phase 3 will begin one year after the start of Phase 2 (~early to mid-2027). During Phase 3, DoD will begin requiring contractors to meet the CMMC level 2 certification requirements as a condition to exercise option periods on applicable contracts awarded after the effective date of the CMMC rule. DoD will also begin including CMMC Level 3 requirement in applicable solicitations.
  • Phase 4 will begin one year after the start of Phase 3 (~early to mid-2028). During Phase 4, DoD will include CMMC program requirements in all applicable CMMC solicitations and as a condition to exercise option periods on applicable contracts regardless of when they were awarded.

Narrower Assessment Scope for Security Protection Assets

The final rule narrows the assessment scope for contractors’ Security Protection Assets (“SPA”). Under the proposed rule, certain contractor assets that provide security functions or capabilities (i.e., SPAs) for the protection of controlled unclassified information (“CUI”) had to meet all security requirements of CMMC level 2. The final rule reduces that assessment scope so now SPAs only need to be assessed against “relevant” security requirements. This change should reduce the regulatory burden on contractors because they will no longer need to show how SPAs meet CMMC security requirements that are not applicable to the SPAs being assessed.

External Service and Cloud Service Providers

The final rule provides greater clarity as to when External Service Providers (“ESPs”) are within the scope of a contractor’s CMMC assessment. Under the final rule, if an ESP deals with CUI, then it must be assessed against all CMMC level 2 security requirements and must obtain a CMMC level 2 assessment or certification. By contrast, ESPs that only deal with security protection data (“SPD”)—data used to protect a contractor’s assessed environment—are subject to a more limited assessment and do not require a full CMMC level 2 assessment or certification. A service provider that does not deal with CUI or SPD does not meet the CMMC definition of ESP and presumably is outside the scope of any CMMC assessment.

For Cloud Service Providers (“CSPs”) dealing with CUI, the final rule tracks current DoD security requirements, which require CSPs to meet security requirements equivalent to the FedRAMP moderate baseline. Like with ESPs, CSPs that only deal with SPD are subject to a more limited assessment and CSPs that do not deal with CUI or SPD are outside of the CMMC scope.

© 2024 Blank Rome LLP by: Michael J. Montalbano of Blank Rome LLP For more news on the Department of Defense CMMC Rule, visit the NLR Government Contracts, Maritime, and Military section.

  • Related Posts

    Post Election – Expect Tax Legislation

    I. Introduction With clear Republican victories in the White House and the Senate, and a very slim majority for either side in the House of Representatives, we can expect tax…

    CFPB Imposes $95 Million Fine on Large Credit Union for Overdraft Fee Practices

    On November 7, 2024, the CFPB ordered one of the largest credit unions in the nation to pay over $95 million for its practices related to the imposition of overdraft fees. The enforcement…

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    You Missed

    Post Election – Expect Tax Legislation

    • By admin
    • November 14, 2024
    • 1 views
    Post Election – Expect Tax Legislation

    Dow Jones Today: Stocks Slip in Early Trading Ahead of Comments from Fed Chair Powell; Disney Soars After Earnings

    • By admin
    • November 14, 2024
    • 1 views
    Dow Jones Today: Stocks Slip in Early Trading Ahead of Comments from Fed Chair Powell; Disney Soars After Earnings

    CFPB Imposes $95 Million Fine on Large Credit Union for Overdraft Fee Practices

    • By admin
    • November 14, 2024
    • 1 views
    CFPB Imposes $95 Million Fine on Large Credit Union for Overdraft Fee Practices

    “Captive Audience” Bans: Employers Should Be Aware of This Trend

    • By admin
    • November 14, 2024
    • 1 views
    “Captive Audience” Bans: Employers Should Be Aware of This Trend

    The CTA Filing Deadline is Approaching. Is Your BOIR Filed Yet?

    • By admin
    • November 14, 2024
    • 1 views
    The CTA Filing Deadline is Approaching. Is Your BOIR Filed Yet?

    Diabetes, Kidney Disease Could Raise Cardiovascular Disease Risk up to 28 Years Earlier

    • By admin
    • November 14, 2024
    • 1 views
    Diabetes, Kidney Disease Could Raise Cardiovascular Disease Risk up to 28 Years Earlier