The Department of Defense (DoD) has issued new guidance for implementing the Cybersecurity Maturity Model Certification (CMMC) program which aims to bolster the cybersecurity posture of the defense industrial base (DIB). This initiative is crucial in safeguarding Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) from increasingly sophisticated cyber threats.
Key Highlights of the Guidance
CMMC Program Overview
The CMMC program is designed to enhance the security of DoD information by requiring pre-award assessments of contractor information systems against prescribed cybersecurity standards. The CMMC Program final rule, published on October 15, 2024, is codified in Title 32 CFR Part 170.
Assessment Levels
The guidance outlines the three CMMC assessment levels:
CMMC Level 1 (Self-Assessment)
This level applies to contracts that involve only FCI. Contractors are required to conduct a self-assessment in accordance with FAR clause 52.204-21 to ensure compliance. The requirements focus on the basic safeguarding of FCI, excluding publicly available government-provided information and simple transactional data.
CMMC Level 2 (Self-Assessment or Certification)
This level applies to contracts involving CUI. Compliance may be demonstrated through either a self-assessment or certification by third-party assessors. Adherence to NIST SP 800-171 requirements is mandatory, with self-assessment being sufficient for CUI that falls outside the National Archive’s CUI Registry Defense Organizational Index Grouping. However, certification is required for CUI categorized under the National Archive’s CUI Registry.
CMMC Level 3 (Certification)
This level applies to contracts requiring enhanced protections for mission-critical or unique technologies. CMMC certification is conducted by DoD officials against select controls in NIST SP 800-172. The requirements focus on implementing enhanced safeguards to protect CUI associated with breakthrough, unique or advanced technology, significant aggregation of CUI, or scenarios where the ubiquity of a system could result in widespread vulnerability if compromised.
These levels ensure the appropriate cybersecurity measures are in place based on the sensitivity and criticality of the information being handled.
Waiver Process
The guidance provides a process for waiving CMMC assessment requirements under specific circumstances.
Approval Authority
Waivers for CMMC assessment requirements must be approved by the service acquisition executive (SAE) or component acquisition executive (CAE). All waiver requests must be coordinated through the component chief information officer (CIO) before seeking SAE or CAE approval.
Coordination for Defense Acquisition Executive Oversight
For programs under DAE oversight, waiver requests must be coordinated through the component CIO, program executive officer, CAE or SAE, and the Office of the DoD CIO.
Scope of Waivers
Waivers can be requested and approved for individual procurements or a class of procurements. These waivers impact only whether CMMC assessments must be included in solicitation documents and resultant contracts.
Reporting Requirements
SAEs and CAEs are required to report CMMC waiver data quarterly to the Office of the Under Secretary of Defense (USD) for Acquisition and Sustainment, the USD for Intelligence and Security, the USD for Research and Development, and the Office of the DoD CIO.
Phase-In of CMMC Assessment Requirements
Program managers and requiring activities should identify information security requirements for the types of information most likely to be associated with the planned contract effort. If market research indicates that including a CMMC assessment requirement may impede the ability to generate robust competition or delay delivery of mission-critical capabilities, the SAE, CAE or DAE may approve requests to waive inclusion of CMMC assessment requirements.
Waiver Limitations
- CMMC Level 1: No circumstances are likely to warrant approval of requests to waive CMMC Level 1 requirements, as it is a self-assessment requirement designed to provide added insight into or assurance of the offeror's compliance with FAR clause 52.204-21.
- CMMC Level 2: Waivers for CMMC Level 2 self-assessment requirements are unlikely to be approved due to the pre-existing minimum requirement for a basic self-assessment under DFARS 252.204-7019. However, in rare circumstances, waivers for CMMC Level 2 third-party assessment requirements may be warranted, especially when seeking competition from non-traditional DoD sources.
- CMMC Level 3: Waivers for CMMC Level 3 third-party assessment requirements may be warranted in rare circumstances. However, such waivers are not appropriate for contracts or work statements requiring access to both unclassified and classified DoD information.
By following these guidelines, defense agencies can ensure that the waiver process is conducted in a structured and transparent manner while still maintaining the necessary cybersecurity protections for sensitive information.
Implementation Timeline
Program managers and requiring activities must follow the CMMC program implementation phases outlined in Title 32 CFR § 170.3(e). After the final Title 48 CFR DFARS rule (2019-D041) is published, all procurement requests involving contracts with FCI must include CMMC Level 1 requirements.
One year after the DFARS rule’s publication, CMMC Level 2 certification assessments will be required, as applicable. CMMC Level 3 certification assessments must be implemented two years after the publication, as appropriate.
Responsibilities of Program Managers
Program managers and requiring activities are responsible for determining each contract's appropriate CMMC assessment level and ensuring compliance with the guidance.
Conclusion
The DoD's new guidance on implementing CMMC requirements marks a significant step forward in protecting sensitive information within the defense industrial base. By adhering to these guidelines, defense agencies can better safeguard their information systems and maintain the integrity of their operations.
Contact Us
As a CMMC Third-Party Assessment Organization (C3PAO), Cherry Bekaert brings extensive experience navigating the complexities of CMMC requirements. Our Information Assurance & Cybersecurity and Government Contracting professionals are well equipped to support your organization's compliance initiatives. With a deep understanding of the evolving regulatory landscape, we provide tailored solutions to ensure the necessary requirements are met efficiently.
If you have any questions or need guidance on CMMC implementation or compliance initiatives, our CMMC advisors are available to discuss your unique situation and help you navigate the process with confidence.
Related Insights
