Publication

Department of Defense Finalizes Rule Adding New Cybersecurity Requirements for Defense Contractors and Subcontractors

Oct 22, 2024


By Brett W. Johnson, Derek Flint, Carrie Schaffer, and Vanessa Pomeroy

The U.S. Department of Defense (DOD) has published a Final Rule to implement the Cybersecurity Maturity Model Certification (CMMC) program, which establishes minimum cybersecurity requirements for nearly all DOD contracts. The Final Rule is part of the DOD’s efforts to bolster the protection of sensitive information within the defense industrial base against evolving cybersecurity threats. The Final Rule is effective December 16, 2024, and will require proactive measures by contractors and subcontractors seeking to partner with the DOD.

The Final Rule will be implemented in four phases over a three-year period. Relatedly, the DFARS Proposed Rule outlines how CMMC Program requirements will be incorporated into contracts. Final comments on the DFARS Proposed Rule closed on October 15, 2024, and a Final Rule is expected in mid-2025. This will serve as the effective date for the phase-in process to begin. Once this occurs, solicitations and defense contracts that require contractors to process, store, or transmit federal contract information (FCI) or controlled unclassified information (CUI) on a non-federal system will condition contract eligibility on a contractor’s ability to meet these new requirements.

Key Provisions of the CMMC Program Final Rule:

The CMMC Program will require contractors entrusted with FCI and CUI to implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. Responsibility for assigning a contract’s level will generally fall to the contracting officer. Each level will require a contractor to undergo an assessment — either self-conducted or handled by a government-approved third party (i.e., C3PAO) — to test and certify its security controls. Depending on the level, the required assessment may be annual or triennial. A brief overview is as follows:

  • Level 1 (Self-Assessment): Contractors that process, store, or transmit FCI must comply with the 15 cybersecurity standards found in FAR 52.204-21 and submit an affirmation of compliance to be susceptible for award. No exceptions will be allowed. Contractors must also submit an annual self-assessment related to this compliance.
    1. Minimum flow-down requirements for subcontractors processing, storing, or transmitting FCI is Level 1 (Self) status.
  • Level 2 (Self-Assessment): A relatively small subset of Level 2 contracts will be eligible for self-assessments. Contractors that process, store, or transmit CUI must comply with all 110 security requirements found within revision 2 of the National Institute of Standards and Technology’s Special Publication 800-171 (“NIST SP 800-171 R2”) pursuant to DFARS 252.204-7012. Compliance with Level 2 (Self) requires a self-assessment every three years.
    • Minimum flow-down requirements subcontractors processing, storing, or transmitting FCI is Level 1 (Self).  
    • Minimum flow-down requirements for subcontractors processing, storing, or transmitting CUI, is Level 2 (Self).
  • Level 2 (C3PAO Assessment): The majority of Level 2 contracts will require a C3PAO assessment — particularly contracts that involve the exchange of CUI. Contractors that process, store, or transmit CUI must comply with all 110 security requirements of NIST SP 800-171 R2 pursuant to DFARS 252.204-7012. Contractors must hire a C3PAO to conduct an assessment of the contractor’s compliance every three years.
    • Minimum flow-down requirements for subcontractors processing, storing, or transmitting FCI is Level 1 (Self).
    • Minimum flow-down requirements for subcontractors processing, storing, or transmitting CUI, is Level 2 (C3PAO). 
  • Level 3 (DIBCAC): Contractors working with CUI in critical programs or high value assets must meet an additional 24 requirements selected from NIST SP 800-172 and required by DFARS 252.204-7012. Level 3 (DIBCAC) assessments will be handled by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center. Contractors must also be a Level 2 (C3PAO) to be eligible for Level 3 (DIBCAC) status.
    • Minimum flow-down requirements for subcontractors processing, storing, or transmitting FCI is Level 1 (Self).
    • Minimum flow-down requirements for subcontractors processing, storing, or transmitting CUI, is Level 2 (C3PAO). 

Contractors will generally not be required to immediately meet all CMMC requirements to be eligible for an award. If a contractor is unable to satisfy Level 2 (Self), Level 2 (C3PAO), or Level 3 (DIBCAC) compliance at the time of contract award, but is at least 80 percent compliant, conditional status may be granted. Contractors will have 180 days to be 100 percent compliant with the applicable requirements.

***

Compliance with the CMMC Program will be burdensome: DOD estimates that the cost of the required assessments per entity could range from a few thousand dollars to over $100,000, depending on the CMMC level and the size of the entity. With this in mind, all defense contractors — small or large — should consider conducting a proactive review of their cybersecurity policies. As part of this, government contractors may want to assess their compliance with NIST security requirements. In addition, to the extent that subcontractors will also need to be compliant, assessing supply changes and identifying vendors that can meet the necessary requirements may be necessary. Contractors that are proactive and have the ability to meet compliance requirements on a faster timeline will have a marketing competitive advantage in future solicitations.

In addition, contractors should review solicitation requirements carefully — and in advance of submitting a bid — to confirm which CMMC level applies. Depending on the CMMC level, the additional financial burden imposed by CMMC requirements could have a significant impact on the profitability of a given contract.

As the Final Rule and its associated DFARS Proposed Rule are phased in, contractors should ensure that compliance programs and proper vetting procedures for supply chains are up to date. As these requirements are onerous, seeking regulatory counsel assistance may be advisable.

About Snell & Wilmer

Founded in 1938, Snell & Wilmer is a full-service business law firm with more than 500 attorneys practicing in 16 locations throughout the United States and in Mexico, including Los Angeles, Orange County and San Diego, California; Phoenix and Tucson, Arizona; Denver, Colorado; Washington, D.C.; Boise, Idaho; Las Vegas and Reno, Nevada; Albuquerque, New Mexico; Portland, Oregon; Dallas, Texas; Salt Lake City, Utah; Seattle, Washington; and Los Cabos, Mexico. The firm represents clients ranging from large, publicly traded corporations to small businesses, individuals and entrepreneurs. For more information, visit swlaw.com.

©2024 Snell & Wilmer L.L.P. All rights reserved. The purpose of this publication is to provide readers with information on current topics of general interest and nothing herein shall be construed to create, offer, or memorialize the existence of an attorney-client relationship. The content should not be considered legal advice or opinion, because it may not apply to the specific facts of a particular matter. As guidance in areas is constantly changing and evolving, you should consider checking for updated guidance, or consult with legal counsel, before making any decisions.

Contributors

MEET THE TEAM
Brett W. Johnson, P.C., Partner
Brett W. Johnson, P.C.,
Partner
Carrie Schaffer, Associate
Carrie Schaffer,
Associate
Derek Flint, Associate
Derek Flint,
Associate
Vanessa Pomeroy, Associate
Vanessa Pomeroy,
Associate
Media Contact

Olivia Nguyen-Quang

Associate Director of Communications
media@swlaw.com 714.427.7490