The U.S. Department of Defense (DoD) published a final rule on October 11, 2024 which formalizes and sets the stage for the implementation of its Cybersecurity Maturity Model Certification (CMMC) program.

The CMMC Program aims to ensure that DoD contractors and subcontractors securely handle sensitive government information falling into the following categories:

        • Controlled Unclassified Information (CUI)
        • Federal Contract Information (FCI)

The program will be implemented in four phases, with Phase 1 to start when a separate CMMC rule, the CMMC Clause Rule, is finalized, which will likely occur in 2025.

For each contract, DoD will determine, based on the information being shared, if the CMMC Program applies, and if so, which level of the program (of Levels 1, 2, and 3) will apply. Higher levels require more sophisticated and intensive assessments. For example, Level 1 will require an annual self-assessment, while Level 3 will require a triannual third-party assessment.

Generally, Level 1 applies to contracts involving only FCI, Level 2 to contracts with CUI, and Level 3 to contracts with high-value CUI.

Generally, under the Program, contractors must certify compliance with the 110 cybersecurity controls set forth in National Institute of Standards & Technology Special Publication 800-171A (NIST SP 800-171A), or -172A where applicable. On Level 1 contracts, such certification is only required for 17 of those controls.

With the above in mind, there are steps contractors with DoD contracts can take now to prepare:

Review DoD Contracts: Identify if you handle CUI or FCI on existing contracts and put together a forecast of your require CMMC level.
Conduct Readiness Assessments under Attorney-Client Privilege: To evaluate CMMC compliance under attorney-client privilege, ensure your attorney is included on all conversations about CMMC readiness, via email or otherwise, including technical discussions and gap analysis, to reduce the risk of such findings being disclosed in litigation or other proceeding or investigation in the future.
Develop System Security Plan (SSP): Map data flow and complete an SSP identifying and describing all security controls. This will likely be required for assessment purposes.
Refine Corporate Policies: Ensure company cybersecurity policies are robust, draft incident response plans, etc.
Engage with CMMC-Certified Assessors: If you expect to be subject to Level 2 or Level 3, consider scheduling an assessment with a third-party assessor (C3PAO) early, as there will be a rush of companies trying to sign up. 

 

Recent Posts