CMMC 2.0: DoD Takes the Next Step and Issues a Proposed DFARS Rule

We recently discussed the December 26, 2023 Department of Defense (DoD) proposed rule laying the foundation for the Cybersecurity Maturity Model Certification (CMMC) 2.0 Program. On August 15, 2024, DoD took the next step towards implementing CMMC by issuing a proposed rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS). If enacted, the rule would revise certain DFARS provisions and create new provisions to establish CMMC policies and solicitation and contract requirements. Comments on the proposed rule are due by October 15, 2024.

Key Elements of the Proposed Rule

• CMMC Level Notice: The proposed rule would create a new clause DFARS 252.204-7YYY, Notice of Cybersecurity Maturity Model Certification Level Requirements. Contracting officers must insert that clause into solicitations subject to CMMC and, through that clause, identify the applicable CMMC level. The proposed rule would also modify certain other relevant DFARS clauses.
• Timing: Under the proposed rule, at the time of award and before DoD exercises an option for a contract subject to CMMC, defense contractors must have a current CMMC self-assessment or certification and annual affirmation. Level 1 self-assessments are current if they were performed within the past 12 months and no changes in CMMC compliance have occurred since that assessment; Level 2 certifications and self-assessments and Level 3 certifications are current if they are no more than three years old and no changes in CMMC compliance have occurred since that assessment; and affirmations of continuous compliance are current if they were submitted within the past 12 months and no changes in CMMC compliance have occurred since the date of the affirmation. Additionally, prior to exercising options, agencies must confirm the contractor has made the required affirmations of continuous compliance.
• Reporting CMMC Information: The proposed rule would require current and prospective contractors to post CMMC self-assessments, certifications, and annual affirmations of continuous compliance in the Supplier Performance Risk System (SPRS). (We discussed the CMMC levels and annual affirmation requirements in our January 5, 2024 CMMC Advisory.) The contractor must submit the Level 1 and Level 2 self-assessment data and annual affirmations to the SPRS, and certified third-party assessment organizations must report Level 2 and Level 3 certification data to the SPRS on the contractor’s behalf. The SPRS will assign a DoD Unique Identifier (UID) to each contractor information system relevant to the contract/offer (i.e., an information system that processes, stores, or transmits federal contract information (FCI) or controlled unclassified information (CUI) during performance of the contract). The apparent successful offeror must provide the UID for each covered contractor information system that the contractor will use to perform the contract to the agency as part of the procurement and before using new covered contractor information systems during performance.
• Changes to Information Systems: The proposed rule would require contractors to notify the contracting officer within 72 hours of “any lapses in information security or changes in the status of CMMC certificate or CMMC self-assessment levels during performance of the contract.” As discussed below, this is a new requirement that arguably broadens reporting obligations beyond “cyber incidents” as defined in DFARS 252.204-7012.
• Joint Ventures: The proposed rule makes clear that CMMC requirements will apply to joint ventures, including mentor-protégé joint ventures. The proposed rule states that “[e]ach individual entity that has a requirement for CMMC would be required to comply with the requirements related to the individual entity’s information systems that process, store, or transmit FCI or CUI during contract performance.” Joint ventures can likely address CMMC risks in multiple ways, but joint venture members should consider these issues as early as possible, including when preparing the joint venture agreement.
• Subcontractors: The proposed rule would require prime contractors and higher tier subcontractors to incorporate CMMC requirements in subcontracts and to “ensure that the subcontractor has a current CMMC certificate or current CMMC self-assessment at the CMMC Level that is appropriate for the information that is being flowed down to the subcontractor.” In response to a comment on the CMMC 1.0 interim rule, DoD advised that when a prime contractor must validate a subcontractor’s CMMC self-assessments and certifications under the proposed rule, prime contractors are “expected to work with their suppliers to conduct verifications as they would under any other clause requirement that applies to subcontractors.”
• Common Carrier Telecommunications Systems: The proposed rule clarifies that common carrier telecommunications systems, which presumably include telecommunications systems operated by internet service providers, are not considered covered contractor information systems. Contractors should, however, encrypt communications consistent with National Institute of Standards and Technology Special Publication 800-171.

Other Considerations and Takeaways

• Notifications of Lapses in Information Security and CMMC Changes: As noted above, the proposed rule would require contractors to notify contracting officers within 72 hours of any security lapse or change in CMMC status during contract performance. The proposed rule does not define the phrase “lapse in information security.” DoD’s decision to use the term “lapse in information security” rather than the already established term “cyber incident” is notable and suggests that DoD intends to impose broader contractor reporting obligations beyond the DFARS 252.204-7012 cyber incident reporting requirements.
• Continuous Monitoring, Compliance Programs, and Potential False Claims Act Risks: The December 2023 proposed rule and this proposed rule make clear that contractors must continuously monitor CMMC compliance or face liability risks including potentially under the False Claims Act (FCA). Both rules, if enacted, would require contractors to expressly affirm continuous compliance with applicable CMMC levels on an annual basis, which in and of themselves would create FCA risks if those affirmations are later deemed to have been inaccurate in some way. But the risks go beyond the annual affirmation requirement. As explained above, offerors must have current CMMC self-assessments and certifications in the SPRS before award. Self-assessments and certifications are current only if they are not older than one year (CMMC Level 1) or three years (CMMC Levels 2 and 3) and there have been no changes in CMMC compliance. In addition, the proposed rule would require contractors to notify the contracting officer within 72 hours of “any lapses in information security or changes in the status of CMMC certificate or CMMC self-assessment levels during performance of the contract.” At least in theory, the following fact pattern could potentially give rise to FCA risk: An offeror or contractor does not continuously monitor CMMC compliance and, as a result, overlooks security changes that affect CMMC compliance, fails to make the required notification to the government, and the government relies upon outdated CMMC data in the SPRS when making an award or exercising an option. To mitigate these risks, contractors should ensure CMMC self-assessments, certifications, and affirmations are accurate and develop robust compliance programs designed to identify and address information system changes that could affect CMMC compliance, as well as to make necessary notifications to the government.
• Flow-Down Requirements and Risk Mitigation: As noted above, prime contractors and higher tier subcontractors flow CMMC requirements down to subcontractors, but the rule does not stop there. It suggests that prime contractors and higher tier subcontractors have an obligation to “ensure” subcontractor compliance. This presents new risks for prime contractors and higher tier subcontractors on the one hand and lower tier subcontractors on the other. Prime contractors and higher tier subcontractors should ensure they are taking steps to mitigate risks associated with subcontractor noncompliance, including requesting SPRS data, auditing subcontractors, and structuring subcontracts to shift burdens and risks to lower tier subcontractors. Lower tier subcontractors should structure subcontracts to mitigate their own risks, including considering subcontract provisions that limit the FCI or CUI that will be shared with the lower tier subcontractor and shift the burden of identifying CUI to prime contractors and higher tier subcontractors, provided of course that the government has identified the relevant information as CUI in the first place in accordance with National Archives and Records Administration and DoD policies and guidance implementing the government-wide CUI program. These types of provisions could be the subject of intense negotiation.
• Cost Allowability: The FAQs accompanying CMMC 1.0 stated that “[t]he cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive,” but DoD appears to have removed that FAQ as part of the transition to CMMC 2.0. The CMMC 2.0 FAQs are silent on the allowability of costs to implement CMMC. The proposed rule also does little to address contractor concerns about CMMC costs and merely directs contractors to the Federal Acquisition Regulation (FAR) Cost Principles, namely FAR 31.201-2, Determining allowability. The extent to which current and prospective contractors can recover costs associated with CMMC and the process for recovering those costs will turn on a variety of circumstances, including the type of contract, whether a particular information system is used to perform multiple contracts (e.g., an enterprise-wide information system) rather than an information system developed for a particular contract, and whether costs may be allowable under FAR 31.205-32, Precontract costs. Companies interested in competing for contracts that incorporate CMMC should consider these issues early in the procurement process.

What Comes Next?

• Prepare for CMMC: Current and prospective defense contractors that have begun preparing for CMMC implementation should adjust and modify their planning and compliance systems based on how the proposed rule would affect their contract performance and pursuit of new awards. Defense contractors that have not begun preparing for CMMC should do so to ensure they are well-positioned for future contract opportunities and contracts.
• Rulemaking Process: Defense contractors should consider submitting comments, whether individually or through an industry organization. There are a variety of elements of both CMMC proposed rules that contractors may want to influence. We expect to see final CMMC rules published in 2025 followed by the phased implementation we discussed in our January 5, 2024 CMMC Advisory.

© Arnold & Porter Kaye Scholer LLP 2024 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.