October 24, 2024
Scott M. Flicker,
Keith Feigenbaumand Hunter NagaiOn October 15, 2024, the Department of Defense (“DoD”) published the final version of its rule implementing the Cybersecurity Maturity Model Certification (“CMMC”) Program under Title 32 of the Code of Federal Regulations (the “Title 32 Rule”).[1] The Title 32 Rule updates DoD’s national security regulations, while a parallel, proposed ruling under Title 48 aims to update the Federal Acquisition Regulation (“FAR”) and Defense Federal Acquisition Regulation Supplement (“DFARS”) (the “Title 48 Rule”) to impose cybersecurity requirements for nearly all DoD contractors later this year.[2] As these long-awaited rules come to fruition, Defense Industrial Base (“DIB”) contractors of all sizes and at all levels (i.e., prime contractor or subcontractor) should assess their current cybersecurity compliance level and consider what will be required to compete for future DoD contracts.
DoD initially proposed the Title 32 Rule on December 26, 2023, followed by the proposed Title 48 Rule on August 15, 2024. DoD’s finalization of the Title 32 Rule formally establishes the CMMC Program and outlines the security controls based on the CMMC 2.0 framework. The CMMC 2.0 framework, introduced in November 2021, is designed to enhance cybersecurity across the DIB by requiring contractors to meet specific security standards based on the sensitivity of the information they manage. Under the Title 32 Rule, contractors must comply with the requirements for their respective security level and undergo assessments to confirm compliance.[3] The Title 32 Rule also establishes processes and procedures for the assessment and certification of CMMC compliance, and institutes the roles and responsibilities of the federal government, contractors, and third parties involved in the assessment and certification process.[4]
The Title 32 Rule is set to come into effect on December 16, 2024. Since the rule is considered a major rule, it will be subject to a Congressional review period of up to 60 days prior to becoming finalized into law. Prior to the rule’s implementation, the Title 48 Rule will need to be finalized[5] and the Cyber AB[6]—the CMMC accreditation body—is expected to release its Compliance Assessment Guidelines for CMMC assessors.
The Title 32 Rule largely maintains the CMMC Program’s original structure but includes several important clarifications regarding its applicability, as well as an adjusted timeline for implementation. A table outlining the three-level CMMC 2.0 framework for assessment has now been codified in the Rule’s Preamble[7]:
CMMC certification is a condition of contract award for all applicable DoD contractors and applies equally to both U.S. and non-U.S. contractors.[8] In addition to the requirements outlined in the table above, the Title 32 Rule provides a number of key clarifications as to the applicability of these requirements:
Another important aspect of the Title 32 Rule is the adjusted timeline for CMMC implementation. Particularly, Phase 1 of the CMMC’s implementation has been extended by six months, while the rollout of each subsequent phase remains consistent with the rule’s proposed version.[17] The updated timeline is as follows:
With the Title 32 Rule in place, DoD contractors should begin preparing for the phased rollout, which will commence upon entry into effect of the Title 48 Rule. Mapping controls and collecting documentation with respect to FCI and CUI, as well as identifying and addressing any compliance gaps internally and across the supply chain, will require considerable time and resources. DoD contractors should review their current contracts to ensure continued compliance with cybersecurity requirements and prepare for CMMC requirements that will be incorporated into option periods, contract extensions, and new contracts.
Our Data Privacy and Cybersecurity practice regularly advises on compliance with CMMC and other cybersecurity regulations. If you have any questions concerning how these requirements may affect your organization, please do not hesitate to contact the members of our team.
[1] Cybersecurity Maturity Model Certification (CMMC) Program, 32 C.F.R. pt. 170 (2024), available at https://www.govinfo.gov/content/pkg/FR-2024-10-15/pdf/2024-22905.pdf.
[2] Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041), Docket DARS-2020-0034 (proposed Aug.15, 2024) (to be codified at 48 CFR Parts 204, 212, 217, and 252), available at https://www.govinfo.gov/content/pkg/FR-2024-08-15/pdf/2024-18110.pdf.
[3] See 32 C.F.R. § 170.14.
[4] See generally, 32 C.F.R. Part 170 (2024).
[5] Among other things, the proposed Title 48 Rule includes a new DFARS provision, 252.204-7YYY, “Notice of Cybersecurity Maturity Model Certification Level Requirements.” This provision requires notice to contractors of the CMMC level required by the solicitation and of the proof of compliance required to be submitted in the Supplier Performance Risk System (“SPRS”). The provision requires: (1) offerors to post CMMC Level 1 and 2 self-assessments in SPRS, (2) third-party assessment organizations to post Level 2 certificate assessments in SPRS, and (3) the DoD assessor to post the Level 3 certificate in SPRS.
[6] Cyber AB, https://cyberab.org/About-Us/Overview.
[7] 32 C.F.R. Part 170.
[8] Id.
[9] 32 C.F.R. § 170.22(a)(2)(ii).
[10] 32 C.F.R. § 170.4(b).
[11] 32 C.F.R. § 170.23
[12] Id.
[13] Id.
[14] See 32 C.F.R. § 170.16(c)(2) and (3); 32 C.F.R. § 170.17(c)(5) and (6); 32 C.F.R. § 170.18(c)(5) and (6).
[15] 32 C.F.R. § 170.19.
[16] See 32 C.F.R. § 170.16(c)(2) and (3); 32 C.F.R. § 170.17(c)(5) and (6); 32 C.F.R. § 170.18(c)(5) and (6).
[17] 32 C.F.R. § 170.3(e).
[18] 32 C.F.R. § 170.3(e)(1).
[19] Id.
[20] Id.
[21] 32 C.F.R. § 170.3(e)(2).
[22] 32 C.F.R. § 170.3(e)(3).
[23] 32 C.F.R. § 170.3(e)(4).
Of Counsel, Economic Sanctions, Export Controls and National Security
Data Privacy and Cybersecurity
Government Contracts Litigation
National Security Regulation and Investigations
Of Counsel, Economic Sanctions, Export Controls and National Security