Insights

Aerial view of the Pentagon with overlaid binary code, symbolizing the intersection of military operations and digital technology.

The Department of Defense Proposes the Much-Anticipated CMMC 2.0

On December 26, 2023, the Department of Defense ("DoD") published a proposed rule to implement the Cybersecurity Maturity Model Certification ("CMMC") 2.0, which will establish comprehensive cybersecurity requirements for applicable defense contract awardees.

In 2019, the DoD proposed CMMC as a Defense Federal Acquisition Regulation Supplement ("DFARS") interim final rule to require contractors and subcontractors that process sensitive information relating to government contracts to demonstrate compliance with various cybersecurity measures. The CMMC's objective is to prevent foreign adversaries and non-state actors from accessing sensitive information from across the defense industrial base supply chain.

In response to industry comments regarding the burdens CMMC would impose, the DoD released the details of CMMC 2.0 in a proposed rule that is now open for public comment through February 26, 2024. Once final, the DoD will incorporate the new cybersecurity requirements into solicitation provisions and intends to implement these requirements by October 1, 2026.

Applicability

CMMC 2.0 will apply to DoD government contractors, including prime and covered subcontractors providing commercial products and services, that will process, store, or transmit Federal Contract Information ("FCI") or Controlled Unclassified Information ("CUI") on non-federal information systems. It will not apply to: (i) contracts in which contractors operate government information systems on behalf of the government; (ii) contracts under the micro-purchase threshold of $10,000; and (iii) contracts exclusively for commercial off-the-shelf, or COTS, items. Waivers for CMMC 2.0 program requirements will be available for urgent or mission-critical projects.

Key Requirements of CMMC 2.0

CMMC 2.0 consolidates the five security levels in CMMC 1.0 to three levels. Prime contractors and covered subcontractors will be required to conduct a self- or third-party assessment, certify compliance with DoD's Supplier Performance Risk System ("SPRS"), and affirm compliance with applicable security requirements. The specific cybersecurity compliance requirements will depend on the type and sensitivity of the information.

  • Level 1 requires contractors to annually self-assess for compliance with the 15 security controls found in FAR 52.204-21. These controls include limiting, verifying, and controlling information system access.
  • Level 2 requires compliance with the 110 security requirements found in the National Institute of Standards and Technology ("NIST") Special Publication ("SP") 800–171 and referenced in DFARS 252.204-7012, which provides controls for the protection of CUI in non-federal systems. Certain contracts will allow for triennial self-assessments, while others will require a triennial third-party assessment.
  • Level 3 requires compliance with the 110 security requirement in NIST SP 800-171 as well as 24 selected security requirements from NIST SP 800–172, which provides controls for CUI related to critical government programs or high-value federal assets. Unlike levels 1 and 2, the DoD will assess compliance and certification.

In addition, contractors will need to submit annual statements affirming compliance in SPRS.

Once finalized, CMMC 2.0 requirements will be introduced into solicitations over a three-year period. The Department of Justice Civil Cyber-Fraud Initiative will enforce liability under the False Claims Act.

As procurement timelines accelerate, CMMC 2.0 compliance will be necessary to conduct business with the DoD and potentially with other government agencies. Defense contractors should continue evaluating their cybersecurity compliance practices in light of the requirements prescribed in this proposed rule.

Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.