C3 has merged with Ingalls Read Press Release >>

CMMC Proposed Rule Basics: What You Need to Know

Get the basics on the CMMC Proposed Rule and how it will affect you

  • Bill Wootton

It’s finally here. The Federal Register published the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) Program as a proposed rule in 32 CFR on December 26th.  After years of debate, evolution, and general confusion, we finally have a proposed rule.

The proposed rule and its supplemental documents clock in at over 200 pages and offer a significant amount of detail around the implementation of the CMMC Program. Overall, if you follow CMMC regularly, there were very few surprises. All of the basics around CMMC stayed true to the CMMC 2.0 program structure announced in November 2021.

This post covers the basics of the rule and serves as a primer for deeper analysis that will follow this post. We will build off this baseline with additional insight and commentary over the next several months and update this post as appropriate.

Here’s what you need to know:

CMMC Program Overview

This section outlines the overall program as well as the underlying process and regulations.

Protecting FCI and CUI

There is a long and well documented need for defense contractors to protect sensitive information.  The CMMC Program is meant to “ensure defense contractors and subcontractors have…implemented required security measures to expand application of existing security requirements for Federal Contract Information (FCI) and add new Controlled Unclassified Information (CUI) security requirements for certain priority programs.”

Understanding the Different CMMC Rulemaking Processes

There are references in the proposed rule to the Code of Federal Regulations (CFR) and in particular 32 CFR and 48 CFR.

The proposed rule that was just issued is a change to Title 32 of the CFR. Without falling into a black hole of federal rulemaking process and nuance, the CFR includes the permanent regulations established by the agencies and executive departments of the U.S. federal government. Title 32 of the CFR includes the regulations dealing with national defense. The DoD’s proposed rule in 32 CFR establishes the basis of the CMMC program.

Rulemaking in 32 CFR is complemented by additional rulemaking in a change to Title 48. Title 48 of the CFR deals with government procurement and is where the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) are established. Technically speaking, rulemaking in 48 CFR will include the actual changes to the contract language for CMMC program requirements, such as DFARS 252.204-7021. Information on DoD’s rulemaking in 48 CFR can be found at DFARS Case 2019-D041, Assessing Contractor Implementation of Cybersecurity Requirements, which is currently scheduled to be published in March 2024[1].

Referenced Rules and Clauses

The proposed rule references multiple regulations, rules, and clauses. However, the core of the proposed rule builds off several existing FAR and DFARS clauses.

FAR clause 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, outlines 15 basic security requirements that can be mapped to a subset of the requirements in NIST SP 800-171, rev. 2.  This is the required level for protection for FCI.

DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, is the cornerstone of DoD efforts to protect CUI data. Specifically, the clause:

  • Requires contractors to provide “adequate security” for all covered contractor covered information systems[2]
  • Mandates implementation of NIST SP 800-171 on all covered contractor information systems
  • Requires that Cloud Service Providers used by the contractor to store, process, or transmit CUI be FedRAMP-Authorized at the Moderate baseline or meet equivalent security requirements
  • Specifies cyber incident reporting and related requirements in clauses (c) through (g)

DFARS clause 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements, requires contractors to conduct a self-assessment according to “NIST SP 800-171 DoD Assessment Methodology.” This methodology is based on NIST SP 800-171A. Self-assessment scores must be reported to the Supplier Performance Risk System (SPRS) and be less than three years old.

DFARS clause 252.204-7020, NIST SP 800-171 DoD Assessment Requirements, establishes the DoD’s right to:

  • Directly conduct higher-level assessments of contractors’ cybersecurity compliance beyond the self-assessment requirement in DFARS 252.204-7019 (i.e., to review the contractor’s System Security Plan and self-assessment documentation, or to directly assess the contractor’s implementation of NIST SP 800-171)
  • Requires contractors to give DoD assessors full access to facilities, systems, and personnel

DFARS 252.204-7021, Cybersecurity Maturity Model Certification Requirements, paves the way for the rollout of the CMMC Program. Originally issued as an interim final rule in 2020, this clause is expected to be updated by ongoing rulemaking in 48 CFR (DFARS Case 2019-D041). It is expected that the updated clause will be used to include CMMC Program requirements in future DoD contracts and solicitations.

Three Levels of CMMC

The CMMC proposed rule includes three maturity levels aimed at protecting FCI (Level 1), CUI (Level 2), and defending against advanced persistent threats such as nation-state actors (Level 3).

CMMC Levels

As a reminder, NARA (the agency responsible for overseeing the federal CUI program), highlights the difference between FCI and CUI this way: “While FCI is any information that is ‘not intended for public release,’ CUI is information that requires safeguarding.” [emphasis added]

More details on the differences between CUI and FCI can be found in this blog post.

Types of CMMC Assessments

As shown in the table above, there are several types of assessments outlined in the proposed rule based on the CMMC Level. Contracting officers and program managers will determine the level of data protection required as well as the CMMC Level required for a contract based on DoD policy.

Level 1 Self-Assessment

Level 1 assessments are based on the security requirements in FAR 52.204-21. Self-assessments must be performed annually, and scores must be entered into SPRS. Assessments are affirmed by a senior official of the contractor.

Level 2 Self-Assessment

Level 2 Assessments are based on NIST SP 800-171, rev. 2. Select contracts (estimated to be 4.9% of contractors requiring Level 2) will allow for a self-assessment even though the contract contains CUI. Level 2 self-assessments are performed annually and affirmed by a senior official of the contractor after the assessment, at POA&M closeout. Which contracts will require a Level 2 Self-Assessment rather than a Level 2 Certification Assessment is still unclear but will be subject to the determination of Program Managers.

Level 2 Certification Assessment

Contracts that require a Level 2 Certification Assessment will feature the following requirements:

  • Implementation of the security requirements in NIST SP 800-171, rev. 2
  • Assessments must be performed by a CMMC Third-Party Assessment Organization (C3PAO) that has been certified by the Accreditation Body (The Cyber AB)
  • Assessment results will be entered into CMMC Enterprise Mission Acceptance Support Service (eMASS) which electronically transmits to SPRS
  • While some select security requirements may be eligible for a Plan of Action and Milestones (POA&M) if they are not found to be fully implemented during assessment, other requirements constitute “automatic failure” if they are not found to be MET during the assessment. Any allowed POA&M items must be closed out within 180 days before a final certification will be issued
  • Contractors must be reassessed triennially (every three years), and a senior official of the contractor must reaffirm compliance annually

Level 3 Certification Assessment

Contracts that require a Level 3 Certification Assessment will feature the following requirements:

  • CMMC Level 2 certification is a prerequisite (i.e., full implementation of NIST SP 800-171, rev. 2)
  • Level 3 certification is based on implementation of 24 selected security requirements from NIST SP 800-172
  • Assessments will be performed by the DoD
  • Results will be entered into CMMC eMASS which electronically transmits to SPRS
  • The assessment score is affirmed by a senior official of the contractor after each assessment, including POA&M closeout, and annually thereafter
  • While some select Level 3 requirements may be eligible for a POA&M, they must all be closed out within 180 days

What Else Should You Know?

Timelines

One of the few surprises in the proposed rule regards the timeline for implementation.  While a seven-year timeline was expected, the DoD aims to have “CMMC requirements for Levels 1, 2, and 3 issued on or after October 1, 2026.” This will significantly accelerate the timeline that contractors have to become compliant, with new Level 2 certification requirements likely to begin appearing later in contracts by Q1 2025. Look for a deeper look at the timeline and its impact in a future blog post.

Conditional Assessments & POA&Ms

The proposed rule contains some limited flexibility around the concern of CMMC being fully pass/fail. At Level 2, if the assessment results meet a minimum score threshold, if there are no unmet security requirements with a point value greater than 1, and all five of the “can’t miss” 1-point requirements (3.1.20, 3.1.22, 3.10.3, 3.10.4, and 3.10.5) are all met, the contractor has a Conditional Assessment. The contractor then has 180 days to close out the POA&M, at which point the contractor must, in the case of a self-assessment, conduct a Final Self-Assessment or, in the case of a certification assessment, obtain a POA&M closeout assessment performed by a C3PAO to receive a Final Certification Assessment. In either case, if the POA&M is not closed out within 180 days, the Conditional Assessment will expire.

NIST SP 800-171 Rev 2

Revision 2 of NIST SP 800-171 is hard coded throughout the proposed rule. There is no discussion around a transition to Revision 3, which is currently published in draft form. However, DFARS 252.204-7012 stipulates that: “…the covered contractor information system shall be subject to the security requirements in [NIST SP 800-171] in effect at the time the solicitation is issued or as authorized by the Contracting Officer. This discrepancy has yet to be resolved and could lead to a contractor having contractual obligations to implement multiple versions of NIST SP 800-171.

Level 3 and NIST SP 800-172

As expected, CMMC Level 3 requires contractors to meet 24 selected requirements from NIST SP 800-172. CMMC Level 2 is a prerequisite for CMMC Level 3. Titled Enhanced security Requirements for Controlled Unclassified Information, NIST SP 800-172 is designed for CUI “associated with a critical program of high value asset.”

Discussion of Public Comments and Resulting Changes

Within the proposed rule, DoD provides detailed responses to many of the comments from the original CMMC 1.0 version, including the recurring theme of CMMC posing undue costs and burden to contractors. We’ll have more on this section of the proposed rule and its implications for contractors and the CMMC rollout in an upcoming post.

Cost Analysis

The DoD provided an extensive analysis and justification for the costs associated with the CMMC Program. Essentially, the DoD considers the cybersecurity measures required to meet FCI and CUI protection to be sunk costs, as the requirement to implement NIST SP 800-171 has been in effect for all DoD contracts since the end of 2017. (For a history of DoD cybersecurity requirements, check out this infographic.) The cost analyses in the proposed rule center around the costs associated with the assessment and affirmation processes. We’ll provide additional analysis of CMMC program costs in an upcoming post.

Just the Start

The proposed rule in 32 CFR is just the start. In addition, the DoD published the following supporting materials to Regulations.gov. These documents are materially unchanged from the versions which were accidentally released in August 2023.

  • CMMC Model Overview
  • CMMC Level 1 Scoping Guide
  • CMMC Level 1 Assessment Guide
  • CMMC Level 2 Scoping Guide
  • CMMC Level 2 Assessment Guide
  • CMMC Level 3 Scoping Guide
  • CMMC Hashing Guide

Our Commitment

For more than six years, C3 Integrated Solutions has been committed to supporting the Defense Industrial Base with innovative technology & cybersecurity solutions, day-to-day IT management, and the professional services, consulting, and support required to protect our nation’s critical data. As one of the first MSPs to provide Microsoft GOV CLOUD services, we have developed groundbreaking services and solutions—such as the Steel Root Compliance Platform—explicitly designed to accelerate and maintain CMMC compliance.

Chat with a Consultant


[1] Information on the Department’s agenda for all rulemakings can be found at https://www.reginfo.gov/public/do/eAgendaMain and then selecting the relevant agency and rule name.

[2] Covered contractor information systems are unclassified systems that store, process or transmit CUI. Generally, these are the systems that are commonly considered “in scope” for compliance assessments.

Meet the Author

Bill Wootton

Bill is the Chief Revenue Officer at C3 Integrated Solutions and works with members of the Defense Industrial Base to deploy, manage, and maintain a secure and CMMC-compliant IT environment.