The Office of Information and Regulatory Affairs (OIRA) recently cleared the final rule for the U. S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) program, putting the agency one step closer to instituting security standards that will require vendors to be certified to certain levels before they can bid on contracts.
The rule is now before Congress and President Joseph Biden. There is an open period of 60 days to review the rule and, if no action is taken, it will become final. We do not anticipate changes and expect that as of Nov. 12, 2024, the CMMC standard will be a consideration for any defense contractor before contemplating contracts with the Department of Defense.
Significantly, OIRA previously cleared a proposed rule to incorporate the CMMC into the Defense Acquisition Regulations Supplement (DFARS) published in the Federal Register on Aug. 15, 2024. This, too, has a 60-day review period and, barring any action, will become effective on Oct. 14, 2024. Thus, all the parts are in motion to make this new regulation final.
Explaining the CMMC Cybersecurity Levels
Under the CMMC 2.0 program, the Department of Defense can assign a CMMC “level” to any contract. Vendors must be certified to that level to bid on that contract.
Level 1: This level is associated with basic safeguarding and, while rather minor compared to the higher two levels, is still a potential challenge for contractors who have never implemented a formal security program. Level 1 contractors can annually self-certify that they are compliant, but must actually conduct the assessment and be prepared to demonstrate their work to reach that level or they risk being subject to a claim under the False Claims Act and disbarment.
Level 2: Level 2 corresponds to most of the requirements formerly under DFARS, but with a twist. In the past, organizations could self-certify to this standard. Now, an independent auditor, a Certified Third-Party Assessor Organization (awkward acronym C3PAO), must determine whether the organization and its security systems – which will hold critical national security Confidential Unclassified Information (CUI) – are compliant with the Level 2 standard.
The C3PAO assessment is valid for three years, but there are not very many certified C3PAO assessors and it could take time to schedule the assessment. It is also important to pass when the assessment does occur, or it could take a great deal of time to reschedule. Without the certification, the organization cannot enter into a contract that requires Level 2 certification.
Level 3: This is the highest standard and an organization must undergo government-led assessments every three years to obtain this certification. Organizations aspiring to Level 3 certification are usually quite large and already have very robust security programs. Thus, this new standard will likely impact small and medium businesses more than large businesses, as they will likely view this as one more compliance program rather than something new.
New CMMC Requirements Could Come with Costs
CMMC requirements will be phased in over time; however, organizations new to cybersecurity controls and the NIST 800-53 control set may have difficulty understanding, implementing and “proceduralizing” each control. Further, there is a material cost for smaller organizations even to achieve Level 1 certification because often their systems and business practices are not designed to separately handle CUI information.
If your organization is considering entering into contracts with CMMC requirements, be sure to consult with both legal counsel and your information technology team to understand both the scope of the requirements and the potential costs of compliance. This is essential to determine the cost associated with any contract and ensuring the proposed work is properly priced.
