The U.S. Department of Defense (DoD) released a proposed rule to implement its Cybersecurity Maturity Model Certification (CMMC) program, which would establish a comprehensive set of cybersecurity requirements applicable to defense contractors. If enacted, CMMC would obligate contractors to take steps to protect sensitive, unclassified government information. The DoD is expected to incorporate the new CMMC cybersecurity requirements into solicitation provisions and implement those requirements by October 1, 2026.

Small businesses, subcontractors and non-U.S. companies will be required to achieve CMMC compliance with the type of information they are creating or handling, whether it be Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

Application Threshold

The proposed rule states that CMMC will apply to all DoD prime contracts and subcontracts where the prime contractor or subcontractor “handles FCI or CUI on its own contractor information systems.” There is only a limited exception for contracts solely focused on commercially available off-the-shelf items.

Tiered Compliance Framework

The CMMC program features a tiered compliance framework requiring DoD to “identify CMMC Level 1, 2, or 3” as a solicitation requirement for any contract involving contractors or subcontractors processing, storing, or transmitting FCI or CUI on its unclassified information system(s). Level 1 is generally geared towards contractors and subcontractors handling less sensitive information and FCI. Levels 2 and 3 are geared toward contractors and subcontractors responsible for handling more sensitive information and CUI.

Once the rule is finalized, DoD is expected to specify the required CMMC Level in each solicitation and the resulting contract.

Level 1 will require an annual self-assessment and affirmation that would assert a contractor has implemented all the basic safeguarding requirements to protect federal contract information, as set forth in 32 CFR 170.14(c)(2).

Level 2 will require triennial self-assessments and annual affirmations attesting that a contractor has implemented all the security requirements to protect CUI. In addition, certain DoD contracts will include a triennial CMMC Level 2 certification assessment conducted by a CMMC Third Party Assessor Organization (C3PAO) that would verify that contractors meet these security requirements.

Level 3 will require a triennial certification assessment for each company information system that is expected to process, store, or transmit CUI, in the execution of the contract. The triennial certification, like Level 2, will be conducted by a C3PAO. The proposed rule indicates that Level 3 standards will likely only apply only to a “small subset” of defense contractors and subcontractors.

Third-Party Certification Requirements

Once finalized, the CMMC program is expected to require most contractors and subcontractors responsible for handling CUI to secure a third-party certification. This certification will serve to substantiate that contractors successfully implemented the cybersecurity controls set forth in National Institute of Standards and Technology Special Publication (NIST SP) 800-171. It’s worth noting that contractors and subcontractors tasked with handling CUI are already obligated to comply with NIST SP 800-171 through DFARS Clause 252.204-7012. However, the current requirement only calls for a self-attestation rather than a third-party certification. If a contractor were to fail to secure a CMMC certification, it could result in the contractor being prohibited from performing on an awarded contract.

Third-party assessments, according to the proposed rule, will be effective for three years. That time period, however, may be reduced if the federal contractor modifies an assessed system.

As mentioned above, contractors and subcontractors only responsible for handling FCI will be required to secure a Level 1 assessment, which is a self-certification consistent with the requirements in FAR 52.204-2.

Affirmation of Compliance

The proposed rule will obligate prime contractors and any applicable subcontractors to submit an affirmation of compliance with the mandated cybersecurity requirements. These affirmations by a senior official from the contractor must be submitted annually and after every CMMC assessment (whether a self-assessment or an assessment certification), including after any closeouts of Plan of Action and Milestones (POA&M). CMMC affirmations of compliance must be submitted electronically via the DoD’s Supplier Performance Risk System. Timely submission is important since contractors will not be eligible for awards under solicitations requiring CMMC compliance until they successfully submit their affirmation(s).

Multi-Phase Implementation

Implementation of DoD’s proposed rule is expected to occur in four phases over the course of two years. However, DoD is leaving it to the discretion of their program managers to include CMMC requirements earlier than what is stated in the proposed rule.

The four phases outlined in the proposed rule include:

  • Phase one: Commences on the effective date of the finalized CMMC rule. Contractors must be prepared to undergo an assessment at this stage. DoD will not be conducting a pilot program as part of the CMMC roll out. Instead, when the rule is finalized, Level 1 self-assessments will be required when warranted by CUI and FCI requirements.
  • Phase two: Expected to commence six months after phase one. At this phase, contractors must be prepared to undergo either a self-assessment or third-party assessment to achieve CMMC compliance.
  • Phase three: Expected to commence approximately one year after phase two. At this phase, contractors will be required to report their assessment results.
  • Phase four: Expected to commence one year after phase three. Phase four is considered the “full implementation” of the rule. At this phase, contractors must be prepared to complete any open POA&Ms identified in the assessment that occurred during phase two.

CMMC Compliance Extends to Subcontractors

The proposed rule requires subcontractors throughout the supply chain to be compliant with the CMMC. Prime contractors and higher-tier subcontractors must “require subcontractor compliance.” However, the proposed rule would not require prime contractors or higher-tier subcontractors to monitor subcontractor compliance.

The CMMC Level applicable to a subcontractor will be the CMMC Level that aligns with the type of information the subcontractor is tasked with storing, processing, or transmitting, which may be different from the CMMC Level applicable to the prime contractor or a higher-tier subcontractor. For example, a prime contractor with CUI would need to meet the regulatory requirements of CMMC Level 2 while a subcontractor with only FCI would need to meet just the regulatory requirements of CMMC Level 1.

CMMC Waiver Provision

DOD expects levels one, two and three of CMMC to be required in all federal contracts from October 1, 2026, onward, though, the proposed rule includes language that would allow the issuance of a waiver in certain cases before solicitations are issued. Specifically, the proposed rule states “in some scenarios, [DoD] may elect to waive application of CMMC third party assessment requirements to a particular procurement. In such cases, the solicitation will not include a CMMC assessment requirement. Such waivers may be requested and approved by the Department in accordance with DoD’s internal policies and procedures.” The proposed rule would enable program managers “to seek approval to waive inclusion of CMMC requirements in solicitations that involve disclosure or creation of [federal contract information] or CUI as part of the contract effort.” Approval of a waiver must be in accordance with “internal [DoD] policies, procedures, and approval requirements.” There is no additional information pertaining to the internal processes or requirements associated with granting a waiver.

Looking Ahead

DoD’s proposed rule sends a clear message to the Defense Industrial Base (DIB): if you want to be eligible to conduct business with DoD, you must be prepared to demonstrate cybersecurity compliance, regardless of the size or focus of your company. With this message in mind, defense contractors should consider taking proactive steps to strengthen their CMMC compliance posture, including:

  • Conduct a Compliance Assessment: Contractors should conduct compliance assessments under attorney-client privilege in order to pressure test their ability to meet the requirements enumerated in CMMC without exposing the company to risk if gaps are found. Engaging counsel with technical capabilities to conduct the assessment or to direct the assessments by third parties can benefit companies by mitigating the risk of having to disclose assessment findings in litigation or during an investigation.
  • Create a System Security Plan (SSP): To prepare for a self-assessment or certification assessment, consider creating an SSP that details how security controls are implemented. Creating an SSP can also help you identify what regulated data (e.g., FCI or CUI) currently exists on your network and how that regulated data is handled.
  • Assess Impacted Suppliers: Since CMMC will apply at all tiers of the defense supply chain, take steps to engage with suppliers and teaming partners.
  • Consider a Dedicated Federal Environment on Your Network: If your company is responsible for handling a large volume of regulated data, it may be advisable to consider establishing a dedicated network environment to house and manage this data. Taking steps to segment regulated data to a dedicated environment can help mitigate legal risk by reducing the network areas containing regulated data and decreasing the chances of comingling regulated data with other data types.
  • Develop and Deploy Internal Cybersecurity Policies: Adopting effective policies that govern the handling of regulated data is critically important to maintain CMMC compliance. As a result, contractors should devise robust internal cybersecurity policies, along with an effective incident response plan and other governance documents. These documents and policies should also be regularly updated and monitored.

If you are a defense contractor or subcontractor and have questions or concerns about preparing for CMMC compliance, please contact a member of the WRVB Cybersecurity & Data Privacy practice team or Construction & Government Contracts practice team. Our law firm has experience in a variety of industries, including, among others, defense, energy, healthcare, banking/finance, technology, and manufacturing. We understand what it takes to strengthen regulatory compliance and protect data across your business.