Department of Defense Issues Final CMMC Rule

On October 11, 2024, the Department of Defense (“DoD”) issued the first part of its final rule establishing the Cybersecurity Maturity Model Certification (“CMMC”) program. As expected, the final rule requires companies entrusted with national security information to implement cybersecurity standards at progressively advanced levels, (CMMC level 1, CMMC level 2, and CMMC level 3) depending on the type and sensitivity of the information. While the final rule largely tracks the proposed rule issued in December 2023, we outline below several notable updates DoD included in the final rule and their potential impacts on DoD contractors.

Updated Implementation Timeline

DoD extended the timeline for CMMC implementation. DoD will now roll out the CMMC program in a four-phased approach:

  • Phase 1 will begin in early to mid-2025 when DoD finalizes the second part of its CMMC rule under 48 C.F.R. Part 204. Once that rule is finalized, DoD will begin including CMMC level 1 and CMMC level 2 self-assessment requirements in new solicitations. That is, while DoD contractors will not need to obtain a CMMC certification by Phase 1, they will need to self-assess and affirm compliance with CMMC level 1 and/or level 2 security requirements when competing for new DoD contracts.
  • Phase 2 will begin one year after the start of Phase 1 (~early to mid-2026). During Phase 2, DoD will begin including CMMC level 2 certification requirements in applicable solicitations. Contractors who expect to bid on solicitations requiring a CMMC level 2 certification should plan to obtain that certification by early 2026 to avoid losing out on DoD opportunities.
  • Phase 3 will begin one year after the start of Phase 2 (~early to mid-2027). During Phase 3, DoD will begin requiring contractors to meet the CMMC level 2 certification requirements as a condition to exercise option periods on applicable contracts awarded after the effective date of the CMMC rule. DoD will also begin including CMMC Level 3 requirement in applicable solicitations.
  • Phase 4 will begin one year after the start of Phase 3 (~early to mid-2028). During Phase 4, DoD will include CMMC program requirements in all applicable CMMC solicitations and as a condition to exercise option periods on applicable contracts regardless of when they were awarded.

Narrower Assessment Scope for Security Protection Assets

The final rule narrows the assessment scope for contractors’ Security Protection Assets (“SPA”). Under the proposed rule, certain contractor assets that provide security functions or capabilities (i.e., SPAs) for the protection of controlled unclassified information (“CUI”) had to meet all security requirements of CMMC level 2. The final rule reduces that assessment scope so now SPAs only need to be assessed against “relevant” security requirements. This change should reduce the regulatory burden on contractors because they will no longer need to show how SPAs meet CMMC security requirements that are not applicable to the SPAs being assessed.

External Service and Cloud Service Providers

The final rule provides greater clarity as to when External Service Providers (“ESPs”) are within the scope of a contractor’s CMMC assessment. Under the final rule, if an ESP deals with CUI, then it must be assessed against all CMMC level 2 security requirements and must obtain a CMMC level 2 assessment or certification. By contrast, ESPs that only deal with security protection data (“SPD”)—data used to protect a contractor’s assessed environment—are subject to a more limited assessment and do not require a full CMMC level 2 assessment or certification. A service provider that does not deal with CUI or SPD does not meet the CMMC definition of ESP and presumably is outside the scope of any CMMC assessment.

For Cloud Service Providers (“CSPs”) dealing with CUI, the final rule tracks current DoD security requirements, which require CSPs to meet security requirements equivalent to the FedRAMP moderate baseline. Like with ESPs, CSPs that only deal with SPD are subject to a more limited assessment and CSPs that do not deal with CUI or SPD are outside of the CMMC scope.

© 2024 Blank Rome LLP by: Michael J. Montalbano of Blank Rome LLP For more news on the Department of Defense CMMC Rule, visit the NLR Government Contracts, Maritime, and Military section.

  • Related Posts

    You See Health, Whistleblower Saw Fraud: Uncovering a $23 Million Healthcare Fraud Scheme

    A whistleblower’s vigilance has led to the revelation of alleged Medicare and TRICARE fraud involving UCHealth, a healthcare system with locations throughout the state of Colorado. University of Colorado Health…

    Website Use of Third-Party Tracking Software Not Prohibited Under Massachusetts Wiretap Act

    The Supreme Judicial Court of Massachusetts, the state’s highest appellate court, recently held that website operators’ use of third-party tracking software, including Meta Pixel and Google Analytics, is not prohibited…

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    You Missed

    Selena Gomez Has SIBO: What to Know About This Rare Digestive Condition

    • By admin
    • November 23, 2024
    • 1 views
    Selena Gomez Has SIBO: What to Know About This Rare Digestive Condition

    The Pros and Cons of TikTok’s Viral ‘Winter Arc’ Challenge: What to Know

    • By admin
    • November 23, 2024
    • 1 views
    The Pros and Cons of TikTok’s Viral ‘Winter Arc’ Challenge: What to Know

    You See Health, Whistleblower Saw Fraud: Uncovering a $23 Million Healthcare Fraud Scheme

    • By admin
    • November 23, 2024
    • 1 views
    You See Health, Whistleblower Saw Fraud: Uncovering a $23 Million Healthcare Fraud Scheme

    Dow Jones Today: Futures Little Changed as Stocks on Pace for Weekly Gains; Bitcoin Nears $100,000

    • By admin
    • November 22, 2024
    • 2 views

    Website Use of Third-Party Tracking Software Not Prohibited Under Massachusetts Wiretap Act

    • By admin
    • November 22, 2024
    • 6 views
    Website Use of Third-Party Tracking Software Not Prohibited Under Massachusetts Wiretap Act

    Surgeon General: Health Disparities Remain as US Smoking Rates Decline

    • By admin
    • November 21, 2024
    • 6 views
    Surgeon General: Health Disparities Remain as US Smoking Rates Decline