CMMC Inches Closer to Implementation As Deadline for Comments on DoD’s Proposed DFARS Rule Approaches

     In mid-August, as the dog days of summer rolled on, the U.S. Department of Defense (DoD) published its long-awaited Proposed Rule revising the Defense Federal Acquisition Regulation Supplement (DFARS) in order to incorporate the Cybersecurity Maturity Model Certification (CMMC) program requirements into DoD solicitations and contracts.  Government contractors that wish to comment on the Proposed Rule have until next week - October 15 - to make their submissions.

     DoD’s CMMC program moved a bit further down what has been a tortuous path toward implementation with the latest Proposed Rule.  Government contractors may recall that last December, DoD finally published a proposed rule under its nation defense regulations that would establish the CMMC program.  That proposed rule in December set out the CMMC framework in significant detail.  The proposed regulations under DFARS that DoD put forward more recently in August are, therefore, contingent on the earlier CMMC program regulations becoming final.

Three-Year Phased Rollout

     For its part, the Proposed Rule under DFARS is a relatively sparse document that amends the current CMMC regulations in DFARS.  The current DFARS regulations were issued, perhaps prematurely, in 2020 before the CMMC program was actually established.  Under those regulations, CMMC was expected to be implemented through a phased rollout in which CMMC requirements would be incorporated into DoD contracts on a contract-by-contract basis until September 30, 2025, with full implementation into all DoD contracts by October 2025.

     As revised by the recent Proposed Rule, however, the DFARS regulations now make no mention of a phased rollout or a specific deadline for full implementation of CMMC clauses into DoD contracts.  Instead, discussion of implementation appears only in the preamble to the Proposed Rule that gives background and DoD's explanation for the proposed regulation changes.  As DoD explains in the preamble, over a three-year period the CMMC requirements and the related DFARS clauses will be phased into only certain DoD solicitations and contracts.  After the end of the three-year rollout period, the CMMC DFARS clauses will be incorporated into all DoD solicitations and contracts – except those for commercially-available off the shelf items – that are greater than the micro-purchase threshold and that involve processing, storing, or transmitting Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

Certification or Self-Assessment By Time of Award

     As for when a government contractor is required to conduct a self-assessment or obtain a CMMC certification, the Proposed Rule requires that DoD contractors conduct the self-assessments or attain certifications for the required CMMC levels and post the results of current certifications and self-assessments in the Supplier Performance Risk System (SPRS) by the time of contract award.  CMMC Level 1 self-assessments are considered current if they are not older than one (1) year, while CMMC Level 2 self-assessments and certifications and CMMC Level 3 certifications are considered current if they are not older than three (3) years.  Government contractors are required to meet the CMMC Level requirements for the life of the DoD contract.

Subcontractor Flow Downs

     CMMC certification requirements must be flowed down to any subcontractor at all tiers that will process, store, or transmit FCI or CUI.  Government contractors must ensure that subcontractors have the appropriate CMMC level before awarding a subcontract. 

Annual Compliance Affirmation

     Government contractors also are required to complete and maintain at least on an annual basis an affirmation of continuous compliance with the CMMC security requirements.  The affirmation must be made by a senior company official.

CMMC Level and DoD Explanations

     The Proposed Rule includes drafts of the DFARS clauses that will be inserted into DoD solicitations and contracts.  Notably, however, neither the DFARS clauses nor DOD’s Preamble to the Proposed Rule indicate which CMMC Level will apply to which kinds of DoD contracts.  Instead, the proposed clauses simply leave a  blank space for the required CMMC level to be filled in by the contracting officer.  

   In its Preamble to the Proposed Rule, DoD does address many questions that came up during the rule-making process for its 2020 CMMC regulations.  For example, DoD clarifies that for any joint ventures the expectation is that each joint venture partner will be required to comply with the CMMC level requirements that relate to the individual partner’s information systems that process, store or transmit FCI or CUI during contract performance.  But on the issue of costs related to CMMC, as another example, DoD simply refers to the general rule for determining cost allowability under FAR 31.201-2.

Small Business Contractors

   Before concluding its Preamble, DoD provides its obligatory analysis and conclusion under the Regulatory Flexibility Act for why it does not expect the Proposed Rule to have a significant economic impact on a substantial number of small entities.  A full discussion of that analysis is beyond the scope of this article.  However, DoD’s insistence that a three-year rollout period sufficiently mitigates against the enormous costs that will be imposed on the expected 60,000 small businesses that will be subject to the Proposed Rule because, among other reasons, “not every contractor will be awarded a contract in Year 4” betrays the facile nature of DoD’s analysis.  Small business contractors that become subject to third party certification requirements and are put to the tens or hundreds of thousands of dollars in related costs may, perhaps, look back wondering whether there were truly no “known alternatives” to achieve statutory compliance, as DoD now claims.

     At this point, and anticipating CMMC’s impending implementation, DoD government contractors should, at a minimum, have familiarity with not only the safeguarding requirements that correspond to the different CMMC Levels but also the documentation and policies that may be necessary to substantiate compliance with those requirements to a third party assessor.  Government contractors, and in particular small businesses, also should have an understanding of the costs that they may have to incur in order to obtain certification at CMMC Levels that may be expected to apply to their government contracts.