Pentagon to officially implement CMMC 2.0 requirements in contracts by Nov. 10

Last week, the Pentagon published the new rule to the Federal Register titled “Assessing Contractors’ Implementation of Cybersecuity Requirements.” This rule, which amends the Defense Federal Acquisition Regulation Supplement (DFARS), takes effect on Nov. 10 and introduces the Cybersecurity Maturity Model Certification 2.0 framework (CMMC 2.0) as a mandatory requirement for government contractors who deal with Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

The CMMC has gone through several delays and revisions since it was first introduced in 2019. This framework is an important initiative to strengthen contractors’ cybersecurity safeguards and the protection of information systems in the face of increasingly complex and frequent cybersecurity attacks. Compliance is increasingly important in light of the U.S. government’s lawsuits under the False Claims Act against various contractors for failure to meet cybersecurity requirements in government contracts.

Key takeaways for government contractors

1. Mandatory compliance with CMMC 2.0: The rule requires contractors to comply with the CMMC 2.0 framework, which includes three levels of certification with variances in requirements dependent on the security levels:
   • Level 1: Self-assessment for contractors handling FCI (less sensitive information)
   • Level 2: Self-assessment or a third-party assessment (C3PAO) for contractors handling CUI (more sensitive information).
   • Level 3: Certification by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) for contractors handling a higher level of CUI (the most sensitive information).

2. Conditional certification with POA&Ms: Contractors at Levels 2 and 3 who do not fully meet the standards may receive a conditional certification for up to 180 days by submitting “Plans of Action & Milestones” (POA&Ms).

3. SPRS compliance checks: Government contracting officers will utilize the Supplier Performance Risk System (SPRS) to verify a contractor’s CMMC compliance status before awarding contracts, and in some instances before executing contract extensions (options).

4. 72-hour incident reporting: This new rule maintains the requirement for contractors to report cybersecurity incidents within 72 hours.

5. Phased implementation: The rule will be phased in over three years for contractors handling FCI or CUI, but contractors will be required to certify their compliance annually.

Notable Policy Changes

• The introduction of POA&Ms provides flexibility for contractors to address compliance gaps without immediate disqualification.

• The phased implementation timeline allows contractors to gradually align their practices with CMMC 2.0 requirements.

• SPRS compliance checks add an additional layer of accountability.

Recommendations for Contractors

• Access Current Cybersecurity Practices: Contractors must become familiar with this new rule and conduct a thorough review of their systems to determine their current level of compliance with CMMC 2.0 standards.

• Determine Your CMMC Level: Contractors must identify whether their contracts involve FCI or CUI and the corresponding CMMC level required.

• Prepare for Certification: Begin preparations for self-assessment, third-party assessment, or DIBCAC certification as applicable.

• Develop POA&Ms: If gaps exist in a contractor’s compliance, a detailed plan is required.

• Ensure subcontractor compliance: Prime contractors are responsible for verifying that their subcontractors maintain the same level of compliance for handling the contract’s FCI or CUI.

• Monitor SPRS compliance: Contractors must regularly and accurately report their compliance status in the Supplier Performance Risk System.

We encourage you to take proactive steps to ensure your company is prepared for these changes. Our team is here to assist you in understanding these developments. Please do not hesitate to reach out to our team if you have any questions or require assistance.

Law clerk Lauren Tessler contributed to this article.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.