Trending News: New Cervical Cancer Treatment Improves Survival Rates, Clinical Trial ShowsGot a Sweet Tooth? Here’s Why Your Risk of Depression, Diabetes, and Stroke May be HigherFTC Social Media Staff Report Suggests Enforcement Direction and ExpectationsHow Ozempic, GLP-1 Weight Loss Drugs Affect the Brain to Curb Substance MisuseFTC Finalizes Major Rewrite of HSR Filing RequirementsDow Jones Today: Stocks Slip From Record Highs at the Start of a Big Week of Earnings ReportsAre We There Yet? DoD Issues Final Rule Establishing CMMC ProgramThese Are the Best and Worst States for Mental Health Care in the U.S.Standing More May Not Offset Effects of Sitting, Could Cause Circulatory IssuesFTC Finalizes “Click-to-Cancel” RuleWhy Naltrexone Is Considered the ‘Ozempic for Alcohol’ Use DisorderTexas-Sized Fraud: Corporate Relator Takes on Laboratory Referral Kickback SchemeDow Jones Today: Dow Hits Fresh Record; NFLX, CVS in FocusWhooping Cough Cases Spiking in US. Here’s How to Protect YourselfHow to Develop an Effective Cybersecurity Incident Response Plan for BusinessesKathy Bates Credits Losing 100 Pounds with These 5 ThingsOzempic Microdosing Is Gaining Popularity. Does It Work for Weight Loss?The Murky Waters of Wash Trading Digital Assets – DOJ Charges 18 Individuals and EntitiesDow Jones Today: S&P, Dow Hit Records; TSMC, NVDA Rise on AI DemandBurger King Offering Free 8oz Ranch ‘Big Dip’ Cup with Sandwiches: What Nutritionists ThinkTCPA Rules on Revoking Consent for Unwanted Robocalls and Robotexts Effective April 2025Around 1 in 4 U.S. Adults Suspect They Have ADHD. What Are the Signs?IRS Issues FAQs Regarding Long-Term Part-Time Employees in 403(b) PlansDow Jones Today: S&P 500, Dow Rise as Market Rebounds From Selloff; Banks Jump on Strong Earnings‘Food Noise’ Ruled Her Life for Years. Here’s How She Learned to Silence ItCommon Mistakes When Applying for the Diversity Immigrant Visa ProgramHow Prioritizing Heart Health Could Lower Your Dementia Risk Later In LifeDepartment of Defense Issues Final CMMC RuleDow Jones Today: Stocks Slide as Nvidia Leads Chipmakers Lower, Investors Digest EarningsBreakfast Foods Affect Weight Loss, Metabolism Differently for Men vs WomenThe Evolution of AI in Healthcare: Current Trends and Legal ConsiderationsCould COVID-19 Raise Your Risk of Heart Attack and Stroke? Study Offers CluesUSCIS Issues Updated Guidance on ‘Sought to Acquire’ Requirement of Child Status Protection ActDow Jones Today: Stocks Rise as Nvidia Leads Large-Cap Tech Higher; S&P 500, Dow at New HighsIs It the End of the False Claims Act As We Know It? District Court Rules Qui Tam Provisions UnconstitutionalOctober 2024 Legal News: Law Firm News and Industry Expansion, Industry Awards and Recognition, DEI and Women in LawRytr or Wrong: Is the FTC’s Operation AI Comply a Prudent Defense Against Deception or an Assault on Innovation and Constitutional Free Speech?Dow Jones Today: Major Stock Indexes on Pace for 5th Straight Week of Gains as S&P 500, Dow Hit Record HighsHow Olympian Caeleb Dressel’s Cat Rems and Dog Jane Help Him Through ‘Rough Days’APPARENTLY NOT AN INDEPENDENT CONTRACTOR: Summary Judgment Denied Because Third Party Vendor May Have Had Apparent Authority To Make Calls Without ConsentEating Nothing But Sardines May Help You Lose Weight, But Experts Say It’s a Bad IdeaRecent Scrutiny of English-Only Workplace Rules Comes into Focus During National Hispanic Heritage MonthDow Jones Today: Stocks Lower as Investors Digest CPI Inflation and Jobs Data SurprisesVitamin D Supplements May Help Lower Blood Pressure and Cholesterol22 States Join Challenge to Massachusetts’ Question 3Harris vs. Trump: A Side-by-Side Comparison on 7 Key Health IssuesHow McDonald’s New Chicken Big Mac Compares to the Original: Calories, Ingredients, and MoreSEC Brings Multiple Enforcement Actions Relating to Beneficial Ownership and Other Reporting ObligationsDow Jones Today: S&P 500 Rises to Record High as Stock Market Rally ContinuesMost Millennials, GenZers Get Health Information From Social Media, Survey RevealsCertain Arm Positions During Blood Pressure Checks May Lead to Inaccurate ResultsMass. Appeals Court Declares Winner in Longstanding Land-Use Dispute Between Northeastern University and Town of NahantDow Jones Today: Stocks Surge as Nvidia Leads Large Caps Higher; Oil Falls SharplyAre You Eligible for Passport Renewal Online?What Digital Advertisers and Influencers Need to Know About the FTC Final Rule Banning Fake Consumer Reviews and TestimonialsDow Jones Today: Major Stock Indexes Slide as Oil Prices and Treasury Yields RisePrayers for Religious Holiday Time Off May Need to be Accommodated by EmployersPreparing For the Return of Dealer DistressHow Healthy Diet, Lifestyle May Help Lower Breast Cancer Risk as Cases Rise in Younger WomenAdministration Action Could Unravel the De Minimis Exception for Goods From ChinaDow Jones Today: Stocks Rise After Strong Jobs Report; S&P 500 Near Unchanged for WeekWhy People on TikTok Are Claiming Mucinex Helped Them Get PregnantHow Time-Restricted Eating May Lower Heart Disease, Type 2 Diabetes RiskParis Hilton Shares Why Living with ADHD Is Her ‘Superpower’Kylie Jenner Uses Nipple Cream to Give Her Lips a Healthy Sheen: Does It Work?Recent Federal Strike Force Prosecutions Serve as Warning to U.S. Manufacturers and Other ExportersDow Jones Today: Stocks Slide as Sluggish Start to October Continues; Oil Rises on Middle East ConcernsBeyonce’s Dad, Mathew Knowles, Details His Journey to Become a Breast Cancer Survivor3 More Benefits GLP-1 Drugs Like Ozempic May Provide in Addition to Weight LossApplication of New Mental Health Parity Rules to Provider Network Composition and Reimbursement: Perspective and AnalysisHow Trump, Harris Differ on Reproductive Health Issues in 2024 Presidential ElectionToo Much Coffee, Soda May Raise Your Risk of Stroke, but Tea May Lower ItWhite House OSTP Releases PFAS Federal R&D Strategic PlanThis Father of 3 Thought His Cough Was a Lingering Flu Symptom. It Was Heart FailureNearly 1 in 3 US Adults Are Iron Deficient: Healthy Tips to Boost Your Iron IntakeNon-Compete Associated with Partial Sale of Business Must Be “Reasonable” To Be EnforcedDow Jones Today: Stocks Slide as Big Tech Tumbles; Oil Jumps on Middle East TensionsSleepmaxxing: How TikTok’s Wellness Trend Can (and Can’t) Help You SleepThe Fifth Circuit Confirms the DOL’s Authority to Use Salary Basis Test for FLSA Overtime ExemptionsThe Corporate Transparency Act Requires Reporting of Beneficial OwnersDow Jones Today: Stocks Mixed as Major Indexes Poised to Post Monthly, Quarterly GainsDOJ Announces Changes to Guidance on Corporate Compliance Programs, Updates on Whistleblower ProgramUSTR Finalizes New Section 301 TariffsReplacing Some Ultra-Processed Foods in Your Diet May Significantly Lower Your Type 2 Diabetes RiskFormer Acadia Employees Received Reward for Blowing the Whistle on Healthcare FraudDow Jones Today: Dow Hits Record High; Nasdaq Slips as Nvidia Leads Chip Stocks LowerBrooke Shields on Why Embracing Aging and Prioritizing Preventive Health in Her 50s Feels ‘Like a Superpower’Dow Jones Today: Major Indexes Higher as Chipmakers and China-Facing Stocks SurgeWorkplace Safety Concerns for Florida Employers in Anticipation of Hurricane HeleneSixth Circuit Explicitly Sidesteps the NLRB’s McLaren Macomb DecisionFluMist At-Home Nasal Flu Vaccine: How Effective Is It Compared to Regualar Shots?Colorado AG Proposes Draft Amendments to the Colorado Privacy Act RulesDow Jones Today: S&P 500, Dow Rallies Stall; Nasdaq Up as Nvidia Continues RisingHow ‘Parks and Recreation’ Star Retta Learned to Manage Glucose Health After Diabetes DiagnosisSEC Revises Tick Size, Access Fees and Round-Lot Definition and Takes Steps to Disseminate Odd-Lot and Other Better Priced OrdersPsilocybin More Effective In Treating Depression Than SSRIs, Study FindsTemporary Injunctive Relief for Nondebtors in Bankruptcy Court Post-Purdue PharmaDow Jones Today: S&P 500 Hits Record High as Major Indexes Rise in Afternoon TradingExcessive Alcohol Use Linked with Higher Risk for 6 Types of CancerA Study in THC-O: Unpacking the Recent Anderson Case
Tue. Oct 22nd, 2024
Trending News: New Cervical Cancer Treatment Improves Survival Rates, Clinical Trial ShowsGot a Sweet Tooth? Here’s Why Your Risk of Depression, Diabetes, and Stroke May be HigherFTC Social Media Staff Report Suggests Enforcement Direction and ExpectationsHow Ozempic, GLP-1 Weight Loss Drugs Affect the Brain to Curb Substance MisuseFTC Finalizes Major Rewrite of HSR Filing RequirementsDow Jones Today: Stocks Slip From Record Highs at the Start of a Big Week of Earnings ReportsAre We There Yet? DoD Issues Final Rule Establishing CMMC ProgramThese Are the Best and Worst States for Mental Health Care in the U.S.Standing More May Not Offset Effects of Sitting, Could Cause Circulatory IssuesFTC Finalizes “Click-to-Cancel” RuleWhy Naltrexone Is Considered the ‘Ozempic for Alcohol’ Use DisorderTexas-Sized Fraud: Corporate Relator Takes on Laboratory Referral Kickback SchemeDow Jones Today: Dow Hits Fresh Record; NFLX, CVS in FocusWhooping Cough Cases Spiking in US. Here’s How to Protect YourselfHow to Develop an Effective Cybersecurity Incident Response Plan for BusinessesKathy Bates Credits Losing 100 Pounds with These 5 ThingsOzempic Microdosing Is Gaining Popularity. Does It Work for Weight Loss?The Murky Waters of Wash Trading Digital Assets – DOJ Charges 18 Individuals and EntitiesDow Jones Today: S&P, Dow Hit Records; TSMC, NVDA Rise on AI DemandBurger King Offering Free 8oz Ranch ‘Big Dip’ Cup with Sandwiches: What Nutritionists ThinkTCPA Rules on Revoking Consent for Unwanted Robocalls and Robotexts Effective April 2025Around 1 in 4 U.S. Adults Suspect They Have ADHD. What Are the Signs?IRS Issues FAQs Regarding Long-Term Part-Time Employees in 403(b) PlansDow Jones Today: S&P 500, Dow Rise as Market Rebounds From Selloff; Banks Jump on Strong Earnings‘Food Noise’ Ruled Her Life for Years. Here’s How She Learned to Silence ItCommon Mistakes When Applying for the Diversity Immigrant Visa ProgramHow Prioritizing Heart Health Could Lower Your Dementia Risk Later In LifeDepartment of Defense Issues Final CMMC RuleDow Jones Today: Stocks Slide as Nvidia Leads Chipmakers Lower, Investors Digest EarningsBreakfast Foods Affect Weight Loss, Metabolism Differently for Men vs WomenThe Evolution of AI in Healthcare: Current Trends and Legal ConsiderationsCould COVID-19 Raise Your Risk of Heart Attack and Stroke? Study Offers CluesUSCIS Issues Updated Guidance on ‘Sought to Acquire’ Requirement of Child Status Protection ActDow Jones Today: Stocks Rise as Nvidia Leads Large-Cap Tech Higher; S&P 500, Dow at New HighsIs It the End of the False Claims Act As We Know It? District Court Rules Qui Tam Provisions UnconstitutionalOctober 2024 Legal News: Law Firm News and Industry Expansion, Industry Awards and Recognition, DEI and Women in LawRytr or Wrong: Is the FTC’s Operation AI Comply a Prudent Defense Against Deception or an Assault on Innovation and Constitutional Free Speech?Dow Jones Today: Major Stock Indexes on Pace for 5th Straight Week of Gains as S&P 500, Dow Hit Record HighsHow Olympian Caeleb Dressel’s Cat Rems and Dog Jane Help Him Through ‘Rough Days’APPARENTLY NOT AN INDEPENDENT CONTRACTOR: Summary Judgment Denied Because Third Party Vendor May Have Had Apparent Authority To Make Calls Without ConsentEating Nothing But Sardines May Help You Lose Weight, But Experts Say It’s a Bad IdeaRecent Scrutiny of English-Only Workplace Rules Comes into Focus During National Hispanic Heritage MonthDow Jones Today: Stocks Lower as Investors Digest CPI Inflation and Jobs Data SurprisesVitamin D Supplements May Help Lower Blood Pressure and Cholesterol22 States Join Challenge to Massachusetts’ Question 3Harris vs. Trump: A Side-by-Side Comparison on 7 Key Health IssuesHow McDonald’s New Chicken Big Mac Compares to the Original: Calories, Ingredients, and MoreSEC Brings Multiple Enforcement Actions Relating to Beneficial Ownership and Other Reporting ObligationsDow Jones Today: S&P 500 Rises to Record High as Stock Market Rally ContinuesMost Millennials, GenZers Get Health Information From Social Media, Survey RevealsCertain Arm Positions During Blood Pressure Checks May Lead to Inaccurate ResultsMass. Appeals Court Declares Winner in Longstanding Land-Use Dispute Between Northeastern University and Town of NahantDow Jones Today: Stocks Surge as Nvidia Leads Large Caps Higher; Oil Falls SharplyAre You Eligible for Passport Renewal Online?What Digital Advertisers and Influencers Need to Know About the FTC Final Rule Banning Fake Consumer Reviews and TestimonialsDow Jones Today: Major Stock Indexes Slide as Oil Prices and Treasury Yields RisePrayers for Religious Holiday Time Off May Need to be Accommodated by EmployersPreparing For the Return of Dealer DistressHow Healthy Diet, Lifestyle May Help Lower Breast Cancer Risk as Cases Rise in Younger WomenAdministration Action Could Unravel the De Minimis Exception for Goods From ChinaDow Jones Today: Stocks Rise After Strong Jobs Report; S&P 500 Near Unchanged for WeekWhy People on TikTok Are Claiming Mucinex Helped Them Get PregnantHow Time-Restricted Eating May Lower Heart Disease, Type 2 Diabetes RiskParis Hilton Shares Why Living with ADHD Is Her ‘Superpower’Kylie Jenner Uses Nipple Cream to Give Her Lips a Healthy Sheen: Does It Work?Recent Federal Strike Force Prosecutions Serve as Warning to U.S. Manufacturers and Other ExportersDow Jones Today: Stocks Slide as Sluggish Start to October Continues; Oil Rises on Middle East ConcernsBeyonce’s Dad, Mathew Knowles, Details His Journey to Become a Breast Cancer Survivor3 More Benefits GLP-1 Drugs Like Ozempic May Provide in Addition to Weight LossApplication of New Mental Health Parity Rules to Provider Network Composition and Reimbursement: Perspective and AnalysisHow Trump, Harris Differ on Reproductive Health Issues in 2024 Presidential ElectionToo Much Coffee, Soda May Raise Your Risk of Stroke, but Tea May Lower ItWhite House OSTP Releases PFAS Federal R&D Strategic PlanThis Father of 3 Thought His Cough Was a Lingering Flu Symptom. It Was Heart FailureNearly 1 in 3 US Adults Are Iron Deficient: Healthy Tips to Boost Your Iron IntakeNon-Compete Associated with Partial Sale of Business Must Be “Reasonable” To Be EnforcedDow Jones Today: Stocks Slide as Big Tech Tumbles; Oil Jumps on Middle East TensionsSleepmaxxing: How TikTok’s Wellness Trend Can (and Can’t) Help You SleepThe Fifth Circuit Confirms the DOL’s Authority to Use Salary Basis Test for FLSA Overtime ExemptionsThe Corporate Transparency Act Requires Reporting of Beneficial OwnersDow Jones Today: Stocks Mixed as Major Indexes Poised to Post Monthly, Quarterly GainsDOJ Announces Changes to Guidance on Corporate Compliance Programs, Updates on Whistleblower ProgramUSTR Finalizes New Section 301 TariffsReplacing Some Ultra-Processed Foods in Your Diet May Significantly Lower Your Type 2 Diabetes RiskFormer Acadia Employees Received Reward for Blowing the Whistle on Healthcare FraudDow Jones Today: Dow Hits Record High; Nasdaq Slips as Nvidia Leads Chip Stocks LowerBrooke Shields on Why Embracing Aging and Prioritizing Preventive Health in Her 50s Feels ‘Like a Superpower’Dow Jones Today: Major Indexes Higher as Chipmakers and China-Facing Stocks SurgeWorkplace Safety Concerns for Florida Employers in Anticipation of Hurricane HeleneSixth Circuit Explicitly Sidesteps the NLRB’s McLaren Macomb DecisionFluMist At-Home Nasal Flu Vaccine: How Effective Is It Compared to Regualar Shots?Colorado AG Proposes Draft Amendments to the Colorado Privacy Act RulesDow Jones Today: S&P 500, Dow Rallies Stall; Nasdaq Up as Nvidia Continues RisingHow ‘Parks and Recreation’ Star Retta Learned to Manage Glucose Health After Diabetes DiagnosisSEC Revises Tick Size, Access Fees and Round-Lot Definition and Takes Steps to Disseminate Odd-Lot and Other Better Priced OrdersPsilocybin More Effective In Treating Depression Than SSRIs, Study FindsTemporary Injunctive Relief for Nondebtors in Bankruptcy Court Post-Purdue PharmaDow Jones Today: S&P 500 Hits Record High as Major Indexes Rise in Afternoon TradingExcessive Alcohol Use Linked with Higher Risk for 6 Types of CancerA Study in THC-O: Unpacking the Recent Anderson Case
Tue. Oct 22nd, 2024

Are We There Yet? DoD Issues Final Rule Establishing CMMC Program

The US Department of Defense (DoD) published a final rule codifying the Cybersecurity Maturity Model Certification (CMMC) Program. The final CMMC rule will apply to all DoD contractors and subcontractors that will process, store, or transmit Federal Contract Information (FCI)[1] or Controlled Unclassified Information (CUI)[2] on contractor information systems. The final CMMC rule builds on the proposed CMMC rule that DoD published in December 2023, which we discussed in depth here.

The final CMMC rule incorporates DoD’s responses to 361 public comments submitted during the comment period and spans more than 140 pages in the Federal Register. Many responses address issues raised in our prior reporting, and DoD generally appears to have been responsive to several concerns raised by the industry. In the coming weeks, we expect to update our separate summaries of CMMC Level 1, Level 2, and Level 3 to reflect the final rule. This OTS summarizes the key changes to the CMMC Program in the final rule.

In Depth

THE CMMC PROGRAM

The final CMMC rule adopts in large part the new Part 170 to Title 32 of the Code of Federal Regulations proposed in 2023. The final rule formally establishes the CMMC Program and defines the security controls applicable to each of the three CMMC levels; establishes processes and procedures for assessing and certifying compliance with CMMC requirements; and defines roles and responsibilities for the Federal Government, contractors, and various third parties for the assessment and certification process. 32 C.F.R. § 170.14 codifies the three CMMC levels outlined in CMMC 2.0, which are summarized as follows in an updated CMMC Model Overview included in Appendix A to the final CMMC rule:

CMMC Model 2.0
Model Assessment
Level 3 134 requirements based on NIST SP 800-171 and 800-172 Triennial government-led assessment and annual affirmation
Level 2 110 requirements aligned with NIST SP 800-171 Triennial third-party assessment and annual affirmation; Triennial self-assessment and annual affirmation for select programs
Level 1 15 requirements Annual self-assessment and annual affirmation

See Cybersecurity Maturity Model Certification (CMMC) Model Overview, Version 2.11 – DRAFT at 3-4 (Sept. 2024).

CMMC Level 1 is required for contracts and subcontracts that involve the handling of FCI but not CUI. The security requirements for CMMC Level 1 are those set forth in FAR 52.204-21(b)(1)(i)-(xv), which currently governs contracts involving FCI. Contractors must conduct and report a CMMC Level 1 Self-Assessment in DoD’s Supplier Performance Risk System (SPRS) prior to award of a CMMC Level 1 contract or subcontract. Thereafter, contractors must make an annual affirmation of continued compliance. The final CMMC rule requires compliance with all CMMC Level 1 requirements at the time of the assessment and does not allow contractors to include a Plan of Action and Milestones (POA&M) to comply with unmet requirements in the future.

CMMC Level 2 is required for contracts and subcontracts that involve the handling of CUI. The security requirements for CMMC Level 2 are identical to the requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev 2, and the final CMMC rule adopts the scoring methodology for compliance with those requirements that is currently employed by DFARS 252.204-7020. The final CMMC rule establishes a minimum required score of 88 out of 110 for Conditional Level 2 status with a POA&M. The final CMMC rule allows for certain CMMC Level 2 requirements that are not met at the time of assessment to be addressed through POA&Ms if the contractor meets the minimum required score. A contractor with Conditional status is subject to close out of all POA&Ms, which must be reported in SPRS within 180 days of Conditional status. Conditional status must be achieved prior to the award of any contract subject to CMMC Level 2. If the contractor does not close out all POA&Ms within 180 days of Conditional status, the contractor becomes ineligible for additional awards of CMMC Level 2 contracts.

The final CMMC rule retains the proposed rule’s distinction between CMMC Level 2 Self-Assessments and CMMC Level 2 Certification Assessments. CMMC Level 2 Certification Assessments are issued by CMMC Third-Party Assessment Organizations (C3PAOs) and fulfill one of the primary goals of the CMMC Program: independent verification of contractor compliance with CMMC security requirements. Whether a CMMC Level 2 Self-Assessment or Certification Assessment will apply to a particular contract will be determined by DoD based on the sensitivity of the CUI involved with that contract. When the final CMMC rule is fully implemented, DoD expects that the vast majority of CMMC Level 2 contractors will eventually undergo a Certification Assessment. Under the phased implementation of the CMMC Program discussed below, however, CMMC Level 2 Certification Assessment requirements will not regularly appear in solicitations or contracts until one year after the start of implementation. Contractors that achieved a perfect score with no open POA&Ms on a Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) High Assessment under DFARS 252.204-7020 prior to the effective date of the final CMMC rule will be eligible for a CMMC Level 2 Certification for three years from the date of the High Assessment.

CMMC Level 3 applies to contracts that involve the handling of CUI, but for which DoD has determined that additional safeguarding requirements are necessary. The additional CMMC Level 3 requirements consist of 24 requirements from NIST SP 800-172 listed in Table 1 to Section 170.14(c)(4) of the final CMMC rule. These additional CMMC Level 3 requirements include various “Organization-Defined Parameters” that can be used to tailor these requirements to a particular situation. The applicability of CMMC Level 3 requirements will be determined by DoD on a contract-by-contract basis based on the sensitivity of the CUI involved in the performance of that contract.

CMMC Level 3 assessments are performed exclusively by DCMA DIBCAC. The proposed CMMC rule establishes a scoring methodology for assessing compliance with CMMC Level 3 security requirements and allows for Conditional Level 3 status with POA&Ms for unmet requirements, subject to certain limitations and a general requirement that POA&Ms must be closed within 180 days. To achieve CMMC Level 3, contractors will need to have a perfect CMMC Level 2 score (110) and achieve a score of 20 out 24 for the additional CMMC Level 3 controls, with each control worth one point.

PHASED IMPLEMENTATION

The proposed rule contemplated a four-phase implementation over a three-year period, starting with the incorporation of self-assessment levels in Phase 1 through the full incorporation of CMMC requirements in all contracts in Phase 4. The final CMMC rule keeps the phases substantially the same, except it extends the time between Phase 1 and Phase 2 by six months, providing a full year between self-assessment and certification requirements:

  • Phase 1 – 0-12 Months: Phase 1 will begin when the proposed DFARS rule implementing CMMC is finalized. Our summary of the proposed DFARS rule can be found here. DoD has stated that it expects the final DFARS rule in “early to mid-2025.” During Phase 1, DoD will include Level 1 Self-Assessment or CMMC Level 2 Self-Assessment requirements as a condition of contract award and may include such requirements as a condition to exercising an option on an existing contract. During Phase 1, DoD may also include CMMC Level 2 Certification Assessment requirements as it deems necessary for applicable solicitations and contracts.
  • Phase 2 – 12-24 Months: Phase 2 begins one year after the start date of Phase 1 and will last for one year. During Phase 2, DoD will include CMMC Level 2 Certification Assessment requirements as a condition of contract award for applicable contracts involving CUI and may include such requirements as a condition to exercising an option on an existing contract. During Phase 2, DoD may also include CMMC Level 3 Certification Assessment requirements as it deems necessary for applicable solicitations and contracts.
  • Phase 3 – 24-36 Months: Phase 3 begins one year after the start date of Phase 2 and will also last for one year. During Phase 3, DoD intends to include CMMC Level 2 Certification Assessment requirements, not only as a condition of contract award but also as a condition to exercising an option on an existing contract. DoD will also include CMMC Level 3 Certification Assessment requirements for all applicable DoD solicitations and contracts as a condition of contract award, but DoD may delay inclusion of these requirements as a condition to exercising an option as it deems appropriate.
  • Phase 4 – 36+ Months: Phase 4 begins one year after the start date of Phase 3 and involves the inclusion of all CMMC Program requirements in all DoD solicitations and contracts, including option periods.

    APPLICABILITY TO PERFORMANCE OF DOD CONTRACTS

    The DoD has clarified that CMMC only applies to “contract and subcontract awardees that process, store, or transmit information, in performance of the DoD contract, that meets the standards for FCI or CUI on contractor information systems.” 32 C.F.R. § 170.3(a)(1). Given that CMMC will be implemented through a DFARS clause that is included in DoD contracts and subcontracts, the addition of the italicized language does not appear remarkable at first glance. However, it may prove an important qualification for companies that receive FCI and CUI in different circumstances. A company that receives CUI from the Government in the performance of one contract may also receive CUI from another entity independent of any contract or subcontract. For example, several categories of CUI reflect information that is contractor proprietary and, as such, can ordinarily be disclosed by the contractor that owns that information as that contractor deems appropriate. This can occur when teammates for a new opportunity share audit and business systems information for purposes of submitting a proposal, which information may be marked CUI by DoD to protect the proprietary information of the contractor being audited or whose business system was reviewed. The final CMMC rule’s clarification that it only applies to FCI and CUI handled in performance of the DoD contract may help clarify that the CMMC program does not restrict a contractor’s ability to process, store, or transmit its own information.

    CMMC STATUS BEGINS ON THE EARLIER OF CONDITIONAL STATUS OR FINAL STATUS

    DoD has clarified that although contractors have 180 days to finalize their CMMC certification if they do not originally achieve a passing score, the additional time to finalize does not extend the period for CMMC renewals. Thus, if a contractor’s CMMC certification status was conditionally granted on January 1, 2025, and its final status occurs 180 days later, the contractor’s renewal date will still be three years from the conditional date (January 1, 2028), not the later anniversary of the final status date.

    TEMPORARY AND ENDURING EXCEPTIONS

    DoD will now allow contractors to obtain permanent and temporary variances that have the status of a “MET” requirement when assessed as part of CMMC. These variances are separate from unmet controls that must be addressed within the contractor’s POA&M and completed within 180 days. The final CMMC rule introduces “enduring exceptions” and “temporary deficiencies,” which are defined as follows: An enduring exception is “a special circumstance or system where remediation and full compliance with CMMC security requirements is not feasible.” The final CMMC rule definition includes examples such as “systems required to replicate the configuration of ‘fielded’ systems, medical devices, test equipment, OT, and IoT.” Enduring exceptions must be documented within a system security plan.

    A temporary deficiency is “a condition where remediation of a discovered deficiency is feasible, and a known fix is available or is in process.” Temporary deficiencies would arise after the implementation of a particular security requirement, not during its implementation. The example provided is “FIPS-validated cryptography that requires a patch and the patched version is no longer the validated version.” A temporary deficiency must be documented in an “operational plan of action.”

    An operational plan of action is a contractor’s formal documentation of temporary vulnerabilities and temporary deficiencies in the contractor’s implementation of the CMMC security requirements. The operational plan of action documents how these temporary vulnerabilities and deficiencies are to be “mitigated, corrected, or eliminated.”

    The proposed DFARS rule requires 72-hour notification for “any lapses in information security or changes in the status of CMMC certification or CMMC self-assessment levels during the performance of the contract.” Proposed DFARS 204.7503(b)(4)). As we pointed out in our summary of the proposed DFARS rule, it does not define “lapses in information security,” but that term appears substantially broader than the term “cyber incident,” which contractors must also report within 72 hours. Because the CMMC rule in C.F.R Title 32 establishes the cybersecurity controls that form the foundation of the CMMC Program, we expected that the final CMMC rule might provide the clarity missing from the proposed DFARS rule; however, the final CMMC rule does not discuss lapses, and it is unclear whether a temporary deficiency is the same as a lapse. The scope of a contractor’s notification obligations under the CMMC Program and the contractor’s DoD contracts and subcontracts therefore remains unclear, particularly whether a contractor must notify the Government every time a measure for complying with a particular CMMC control does not function as planned.

    DEFINITION OF SECURITY PROTECTION DATA

    In the interim rule, DoD introduced Security Protection Data (SPD) as an undefined term. The final CMMC rule defines SPD as follows:

    Security Protection Data (SPD) means data stored or processed by Security Protection Assets (SPA) that are used to protect [a contractor’s] assessed environment. SPD is security relevant information and includes but is not limited to: configuration data required to operate an SPA, log files generated by or ingested by an SPA, data related to the configuration or vulnerability status of in-scope assets, and passwords that grant access to the in-scope environment. (Emphasis added).

    In our earlier analysis, we discussed the concern that the ambiguous nature of SPD would make it difficult for contractors to determine which external service providers (ESPs) were in-scope for CMMC. The definition of SPD in the final CMMC rule retains this ambiguity, thus missing an opportunity for further clarity in the use of ESPs.

    DIBCAC ASSESSMENTS

    For Level 2 and Level 3 CMMC assessments, DoD now reserves the right to conduct a DCMA DIBCAC assessment of any contractor, in addition to other investigative evaluations of an OSA. The results of an investigative DCMA DIBCAC assessment will supersede any preexisting CMMC status, and DoD will update SPRS to show that the OSA is out of compliance. This replaces previous language in the proposed CMMC rule that allowed DoD to merely revoke CMMC status after its investigation. Notably, the final CMMC rule removes the ability to revoke CMMC Level 1 status and does not substitute a DCMA DIBCAC assessment in its place. These changes bring the CMMC program into alignment with the DoD Self-Assessment methodology required in DFARS 252.204-7019/7020.

    CSPS AND ESPS

    Of significant interest to service providers will be the changes to the requirements for cloud service providers (CSPs) and other ESPs. The final CMMC rule is less prescriptive than the proposed rule with respect to how these service providers fit into the scope of a contractor’s CMMC certification.

    First, as before, the final CMMC rule allows the use of CSPs to process, store, or transmit CUI where the CSP is Federal Risk and Authorization Management Program (FedRAMP) Authorized at FedRAMP Moderate baseline or higher, or where the CSP meets FedRAMP Equivalency. The final CMMC rule, however, states that FedRAMP Moderate and FedRAMP Moderate Equivalent determinations will be “in accordance with DoD Policy,” thereby incorporating the DoD Chief Information Officer policy memo on FedRAMP Moderate equivalency issued after the proposed rule. This reference may also allow DoD to change this policy in the future without further notice-and-comment rulemaking.

    Second, for ESPs that process, store, or transmit CUI or SPD, CMMC certification is no longer required in advance of the contractor’s certification. Instead, ESPs will be assessed as in-scope for the contractor itself against all of the relevant requirements. This change may relieve pressure not only on ESPs but also on contractors and CMMC C3PAOs if non-contractor ESPs do not need to be at the front of the line for certifications. Although many ESPs with significant Federal contracting customer bases will likely choose to obtain CMMC certification directly, smaller ESPs may choose to support Federal contractor customers in the customer’s own certifications on a case-by-case basis.

    Notably, this is a model that many service providers may be familiar with from a different context and standard. In practice, it seems similar to the method for service providers to comply with Payment Card Industry Data Security Standards (PCI DSS). Under PCI DSS, a service provider may obtain its own Attestation of Compliance (AOC) or may participate in the compliance efforts of each merchant it supports. Also, like the PCI DSS model, there now is a requirement to document the roles and responsibilities between ESPs and the contractors. 32 C.F.R. § 170.19(c)(2)(ii) (“documented in the OSA’s SSP and described in the ESP’s service description and customer responsibility matrix (CRM)”).

    APPLICABILITY TO SUBCONTRACTORS

    The final CMMC rule updates the applicability of the CMMC requirements to subcontractors by incorporating requirements not only for CMMC compliance but also explicitly to flow down CMMC requirements for both CMMC level and assessment type through the supply chain. There is again a helpful clarification that such flow-downs are only required for the performance of a “DoD contract” rather than the prior language that did not specify what types of contracts required flowing down. Id. § 170.23(a).

    MISREPRESENTATION AND FALSE CLAIMS ACT RISK

    Although the CMMC Level 1 and Level 2 security requirements are the same requirements in FAR 52.204-21 and NIST SP 800-171 that contractors have been required to follow for years, the final CMMC rule will require all contractors that handle FCI and CUI on their systems – even contractors subject to CMMC Level 1 – to make periodic affirmative representations regarding their cybersecurity programs and controls, in addition to the initial assessments and certifications reported in SPRS. Contractors must vet these representations carefully as any potential inaccuracy or ambiguity could generate litigation risk under a variety of criminal and civil laws, including the False Claims Act (FCA).

    Since the inception of the CMMC Program, the US Department of Justice (DOJ) has increasingly made cybersecurity an enforcement priority. In 2021, DOJ launched its Civil Cyber-Fraud Initiative, which seeks to leverage DOJ’s expertise in civil fraud enforcement to combat cyber threats to the security of sensitive information and critical systems. Deputy Attorney General Lisa Monaco stated at the time: “We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public fisc and public trust.” As CMMC is implemented, it will provide the “required cybersecurity standards” that DOJ will seek to enforce and a record of statements of compliance that DOJ will use to leverage the FCA in enforcement.

    THE ELEPHANT (STILL) IN THE ROOM

    The final CMMC rule, like the proposed rule, does nothing to address the fundamental uncertainty regarding what constitutes CUI and the widespread overmarking of CUI. We continue to see emails from Government officials with CUI markings embedded in signature blocks that automatically attach to every email that official sends out – even when the email is sent to private entities and individuals who do not hold a contract subject to CMMC. Multiple commentators expressed concerns regarding the mismarking and overmarking of CUI, but DoD generally responded by pointing to its existing guidance on CUI marking, without addressing whether that guidance is sufficient or is actually being followed.

    CONCLUSION

    The final CMMC rule makes several significant changes to the proposed rule, but it largely keeps the structure, content, and format of the proposed rule in place. We will continue to analyze the final CMMC rule, including updating our in-depth analyses of each CMMC certification level, in the weeks to come.

    But are we there yet? No, and if you don’t stop asking, DoD will turn this car around! DoD must still finalize the companion DFARS rule before the CMMC can be fully implemented by DoD for new contracts. Once that final DFARS rule is released, we expect a gradual, phased approach that will take three to four years before CMMC is a reality for all Federal prime contractors and subcontractors that store, process, or transmit FCI or CUI in performance of DoD contracts.

    © 2024 McDermott Will & Emery by: Daniel P. Graham, Jessica McGahie Sawyer, Brian Long of McDermott Will & Emery  For more on the CMMC Program, visit the NLR Consumer Protection section

    • admin

    Related Posts

    FTC Social Media Staff Report Suggests Enforcement Direction and Expectations
    FTC Social Media Staff Report Suggests Enforcement Direction and Expectations

    The FTC’s staff report summarizes how it views the operations of social media and video streaming companies. Of particular interest is the insight it gives into potential enforcement focus in the coming…

    Continue reading
    FTC Finalizes Major Rewrite of HSR Filing Requirements
    FTC Finalizes Major Rewrite of HSR Filing Requirements

    Last week, the Federal Trade Commission (FTC) voted unanimously to issue a final rule that implements significant changes to the Hart-Scott-Rodino (HSR) premerger notification form and accompanying instructions. While the final rule…

    Continue reading

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    You Missed

    Medicine Blog

    New Cervical Cancer Treatment Improves Survival Rates, Clinical Trial Shows

    • By admin
    • October 22, 2024
    • 1 views
    New Cervical Cancer Treatment Improves Survival Rates, Clinical Trial Shows
    Medicine Blog

    Got a Sweet Tooth? Here’s Why Your Risk of Depression, Diabetes, and Stroke May be Higher

    • By admin
    • October 22, 2024
    • 1 views
    Got a Sweet Tooth? Here’s Why Your Risk of Depression, Diabetes, and Stroke May be Higher
    Legal Topics

    FTC Social Media Staff Report Suggests Enforcement Direction and Expectations

    • By admin
    • October 22, 2024
    • 4 views
    FTC Social Media Staff Report Suggests Enforcement Direction and Expectations
    Medicine Blog

    How Ozempic, GLP-1 Weight Loss Drugs Affect the Brain to Curb Substance Misuse

    • By admin
    • October 22, 2024
    • 5 views
    How Ozempic, GLP-1 Weight Loss Drugs Affect the Brain to Curb Substance Misuse
    Legal Topics

    FTC Finalizes Major Rewrite of HSR Filing Requirements

    • By admin
    • October 21, 2024
    • 5 views
    FTC Finalizes Major Rewrite of HSR Filing Requirements
    Banking

    Dow Jones Today: Stocks Slip From Record Highs at the Start of a Big Week of Earnings Reports

    • By admin
    • October 21, 2024
    • 5 views