1. DoD and CMMC

Throughout 2023, we have been closely following the development of three Defense Federal Acquisition Regulation Supplement ("DFARS") cybersecurity updates (currently styled as "DFARS Cases" while in development). These relate to safeguarding and reporting requirements, data security assessments, and implementation of the DoD's Cybersecurity Maturity Model Certification ("CMMC") program. Just in time for the new year, DoD published a Proposed Rule to implement the CMMC program on December 26, 2023 (which we discuss in more detail here). Below, we provide a high level summary of the DFARS cases, and a separate summary related to the CMMC program.

DFARS Cases Relating to Cybersecurity

Updates to the Safeguarding Covered Defense Information and Cyber Incident Reporting Clause (DFARS Case 2023- D024) – This will amend the existing clause at DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, to incorporate references to NIST SP 800-172 requirements (for the small percentage of defense contractors with the most strict security requirements), harmonize certain terminology in line with the CMMC program, address international agreements, and streamline the vendor identification process. The update will come in the form of a proposed rule, with a current deadline of January 31, 2024 (though these deadlines often get pushed back).

NIST SP 800-171 DoD Assessment Requirements (DFARS Case 2022-D017) – This rule was split from the DFARS Case below to implement the NIST SP 800-171 DoD Assessment Methodology, which requires certain DoD contractors to conduct self-assessments and enables the DoD to assess contractor implementation of the cybersecurity requirements in NIST SP 800-171. The requirements of this rule are currently effective per DFARS 252.204-7019 and -7020. We discussed the related Interim Rule (which was published in 2020) here. Obviously, we have been waiting a long time for DoD to publish a final rule. The Fall 2023 Unified Agenda indicates a final rule will be issued in February 2024.

Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041) – This amends an interim rule to implement the CMMC framework 2.0 in the DFARS. The CMMC framework assesses compliance with applicable information security requirements and this rule aims to provide the DoD with assurances that a DIB contractor can adequately protect unclassified information at a level commensurate with the risk, accounting for information flow down to its subcontractors and service providers in a multi-tier supply chain. Currently, the Defense Acquisition Regulations Council is scheduled to review the proposed DFARS rule on January 10, 2024, and the Fall 2023 Unified Agenda indicates a proposed rule to amend the DFARS will be published in March 2024.

The CMMC Program

The CMMC program has been in the works for some time. By way of brief recap, here are major milestones in the development of the program:

  • January 30, 2020 – The CMMC program is first introduced, we wrote about this here.
  • September 29, 2020 – A Draft CMMC rule is published.
  • March 2021 – DoD initiates an internal review of CMMC.
  • November 2021 – "CMMC 2.0" is announced, based on review of over 850 public comments received in response to the September 2020 Draft CMMC rule. We wrote about the key differences between CMMC 1.0 and 2.0 here.
  • December 26, 2023 – The CMMC Program Proposed Rule is published.

As expected based on the CMMC 2.0 announcement, the CMMC Program Proposed Rule follows the threetiered approach (Levels 1, 2, and 3). We discuss the requirements for each level, along with other notable provisions from the Proposed Rule, in more detail here, but there are no major surprises. A few notable additions/clarifications include:

  • Implementation – the roll-out of the program will occur via a four-phased approach, and is more aggressive than in the previous version of the rule. It anticipates full implementation (Phase 4) will take place 2.5 years after changes to the DFARS become effective (per DFARS case 2019-D041).
  • Timing of certification – the Proposed Rule indicates the requisite certification will be required at the contract award stage (i.e., "as a condition of award"), rather than at the proposal stage.
  • Cloud Service Providers and External Service Providers – Cloud service providers must be authorized at the FedRAMP Moderate level or provide evidence of equivalent security controls. External service providers must have controls in place for the requisite CMMC level.
  • International Entities – Overseas companies will have to meet the same requirements as U.S. domestic suppliers. There is not yet a plan to recognize international or other cybersecurity standards.
  • Disputes – the Proposed Rule indicates there will be two separate disputes processes: (1) for disputing an assessment by a C3PAO, and (2) for disputing the CMMC level required by a solicitation. A C3PAO assessment dispute will be escalated to the Cyber AB for resolution, whereas issues with the CMMC level requirement in a solicitation can be raised to the contracting officer (likely via a pre-award protest).

What to Expect in 2024

Comments on the CMMC Program Proposed Rule are due by February 26, 2024 (i.e., 60-day comment period). Given the anticipation surrounding the Proposed Rule, and the significant impact it will have on DoD contractors, we expect there will be a large number of comments submitted. In any event, we expect a final rule (and implementing DFARS requirements) will likely very closely mirror the Proposed Rule and, as such, contractors should refocus on preparing (via self-assessments or engaging a C3PAO) in the meantime.

To read the full article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.