The Cybersecurity Maturity Model Certification (CMMC) has reached a major governmental milestone, meaning it is more likely we will see CMMC in defense contracts in the first half of 2025. That’s just months away.
CMMC has gone through a lot of false starts and changes and has dragged on for over four years. But a new CMMC proposed rule to change defense contract requirements was published in the United States Federal Register on August 14 and has put CMMC on a faster track towards implementation.
CMMC will require defense contractors to qualify for new contracts or renewals by proving they have successfully completed a CMMC assessment at the time of contract award.
Based on the proposed rule (which may be revised before it becomes final), IT Managed Service Providers (MSP) will be required to pass an assessment at the same level as required by their defense contractor client, or the client will fail their assessment.
The Complexities of the Coming Changes
The federal rulemaking process can be confusing and tedious. Implementing CMMC necessitated two major changes to the existing rules that require defense contractors to implement strict cybersecurity protocols. The Title 32 CMMC Proposed Rule, including new cybersecurity and assessment requirements, was published on December 26, 2023, and is now being finalized after a public comment period. A final rule is expected in October or November.
That doesn’t mean that CMMC will immediately be included in contracts. For that to happen, a new Title 48 rule would need to change the current Defense Federal Acquisition Regulation Supplement (DFARS) clauses that appear in defense contracts.
The newly proposed Title 48 rule includes the wording changes for the draft DFARS requirements that have already been published and a timeline for adding CMMC to contracts. A 4-year phase-in period will allow CMMC to be required in gradually increasing numbers of contracts until all contracts include CMMC.
Because contractors will not know which contracts will require CMMC when it starts in 2025 or which ones will be delayed, many prime contractors will be demanding proof of CMMC certification from their subcontractors before it takes effect.
All defense contractors will be required to implement CMMC. Level 1 contractors that only access, process, or transmit Federal Contract Information (FCI) will be required to self-assess. They will also need to have a senior executive attest that their cybersecurity implementation meets 15 requirements in the Federal Acquisition Regulation (FAR).
Level 2 defense contractors that access, process, or transmit Controlled Unclassified Information (CUI) will need to implement 110 cybersecurity practices in NIST SP 800-171 and meet 320 assessment objectives and pass an assessment that will require a perfect score and an annual attestation by a senior executive. A small percentage of defense contractors will need to meet a higher standard to protect especially sensitive CUI.
The proposed rule included an estimated Level 2 assessment cost of over $ 100,000. Assessment certifications will be valid for three years before another assessment is required, but every year a senior executive will need to legally attest that the required level of cybersecurity is being consistently implemented. At any time, the Department of Defense can audit defense contractors to validate their cybersecurity and revoke their certification if their cybersecurity has been misrepresented.
Many defense contractors are small companies that act as subcontractors to prime contractors that are awarded large projects. The new proposed DFARS regulation says that prime contractors will not be given access to the Department of Defense database of certified contractors, requiring CMMC certification and verification to be managed between the prime contractors and their subcontractors.
Additional Costs and Challenges
The new rule proposal also says:
- If material changes occur to a defense contractor’s business or IT environment, a new assessment will be required;
- Contractors must notify their Contracting Officer within 72 hours when there are “any lapses in information security” which expands the current requirement. This covers all Level 1, 2, and 3 contractors with either Controlled Unclassified Information (CUI) or Federal Contract Information (FCI);
- Contractors must notify their contracting officer if there is a change to their CMMC level or certification status;
- CMMC will apply to contracts below the Simplified Acquisition Threshold of $250,000 except for contracts that are solely for the purchase of Commercial Off-the-Shelf (COTS) products or contracts under the $10,000 micro-purchase threshold.
The proposed CMMC requirements state that IT Managed Service Providers (MSP) and the security protection tools they use are in-scope of their client’s assessments.
The proposed CMMC rule also states that the cloud-based security protection tools used by MSPs and IT departments to monitor, scan, and protect a defense contractor’s network are in-scope and the cloud service vendors must meet federal standards that are expensive and time-consuming to implement. This makes it unlikely that most of the cloud-based cybersecurity vendors popular with MSPs will be able to meet the CMMC requirements when it takes effect.
The new CMMC requirements for executive leadership attestation and the new requirements for communicating changes and notifications after incidents will be enforced through the federal False Claims Act, which requires repayment of three times what was received from the government, plus fines, and potentially being banned from future contracts. Whistleblowers are actively encouraged by the government to report the misrepresentation of cybersecurity with rewards of up to 30% of a penalty. The U.S. Department of Justice has a Cyber Fraud Initiative to actively pursue government contractors that misrepresent their cybersecurity.
Summing Up CMMC
Following years of delays and changes, a new proposed rule published in August 2024 has put CMMC on a faster track toward implementation.
The Cybersecurity Maturity Model Certification (CMMC) is set to become a requirement in defense contracts by early 2025, marking a significant shift for defense contractors and managed service providers (MSPs).
This certification will require contractors to undergo extensive cybersecurity assessments to secure or renew contracts, with a phase-in period that will gradually enforce these requirements across the industry.
MSPs, in particular, need to be aware that their services and security tools will be scrutinized under CMMC, and failure to meet these stringent standards could jeopardize their clients’ contracts. As compliance can be both costly and time-consuming, it’s crucial for MSPs to proactively prepare for these changes to avoid penalties and ensure they remain competitive in the defense sector.
Mike Semel, “The Complianceologist,” is president of Semel Consulting. He is a CMMC Certified Assessor, CMMC Certified Professional, CMMC Registered Practitioner, Certified Security Compliance Specialist, Certified HIPAA Security Professional, Certified Business Continuity Professional, and a Certified Cyber Resilience Professional.
Featured image: iStock