On December 26, 2023, the Department of Defense, Chief Information Security Officer submitted the proposed rule for the Cybersecurity Maturity Model Certification (CMMC) program. The proposed rule maintains the “three key features” as outlined in CMMC 2.0. The first is the tiered model, the three CMMC levels for safeguarding Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Second is the assessment requirement, and third is implementation through contracts. As has been discussed over a few years, the forcing functions of the last two features are the most important. The proposed rule essentially puts into place the requirement for government prime contractors and subcontractors to meet compliance as outlined in NIST SP 800-171 and to provide evidence of compliance through a self-assessment or, in the case of CUI, a certification of compliance through an audit as a pre-award contract requirement.
It is important to consider that what is outlined in the proposed rule is nothing new, and what is listed here only covers some subjects. These requirements have their origin in the November 2010 Executive Order that established the requirement to define and protect CUI. Next was the June 2015 publication of NIST SP 800-171, the document that outlined the safeguarding requirements for protecting CUI in non-federal systems. In addition, the requirement stated that contractors who handle CUI must meet the NIST SP 800-171 requirements by December 31, 2017. This requirement for voluntary industry compliance was less than successful. In order to enforce industry compliance in November 2020, the Department of Defense released CMMC 1.0, the interim rule. This version outlined five levels of compliance and the requirements for independent third-party audits. In March 2021, the Department initiated a review of the CMMC 1.0 implementation. The review resulted in about 850 comments, and in November 2021, the Department released CMMC 2.0, a streamlined and adjusted version of 1.0. It is CMMC 2.0 that is the foundation of this proposed rule.
As with all preceding rules, the current proposed rule will have a 60-day comment period, after which the government will address the comments. In the proposed rule, the government has consolidated many of the comments from the previous interim CMMC rule; these responses provided clarification and justification for much of the regulation. The government, as noted previously, intends to implement CMMC fully over time, that is, over seven years. The government will introduce CMMC requirements into solicitations over three years, and it anticipates that it will take two years for companies with existing contracts to become CMMC-certified. Further in the proposed rule, the government plans to have the CMMC requirement for all levels in all DoD contracts on or after October 1, 2026. This would include the self-assessment certifications and the third-party certifications.
As mentioned in the earlier rules, it is the contract’s program manager who will identify the requirements for the appropriate CMMC Level. As this effort moves forward during the phase-in period, some programs will be required to include CMMC requirements, and other programs will remain at the discretion of the program manager. The estimated total number of companies in the Defense Industrial Base (DIB) that are affected is about 221,000; of that, about 164,000 are considered small, with 57,000 “other than small.” Regarding the CMMC requirement, business size plays no part. The requirements are the same, small or other. In terms of the CMMC levels, about 140,000 companies will be CMMC Level 1, 80,000 Level 2, and 1,500 Level 3.
Costs, the government cost estimates in the proposed rule, as they were from the 2020 interim rule, are interesting. The government estimated costs are based on several scenarios: Levels 1 and 2 self-assessments and Levels 2 and 3 third-party audits. It also considers the contractor costs, both non-recurring and recurring. There is an important point in the government’s estimate of costs. The non-recurring costs are the costs in hardware, software, labor, infrastructure, etc.; these are the one-time costs to meet the assessment or certification requirement. Missing are the non-recurring and recurring implementation costs for compliance. The government considers the implementation cost for compliance to be developing the system security plan and meeting the 110 NIST SP 800-171 requirements. These costs are not considered part of the cost of assessment or certification. The government considers these implementation costs, or the cost of getting there, the costs in hardware, software, labor, infrastructure, etc., to get ready or to become compliant as costs incurred. The government argues that the contractor should be compliant now; and by now they should be ready for the FAR or DFAR assessment. Of course, the journey to compliance is the most significant cost for the contractor. The bottom line is that the government’s contractor estimated cost for an annual CMMC Level 1 self-assessment for other than small businesses (large) is about $4,000/year; for a small business (small) is about $6,000/yr. For CMMC tri-annual Level 2, a large self-assessment it is approximately $49,000, and for a small one, it is roughly $37,000. For a CMMC Level 2 audit, a large audit is about $117,000, and for a small audit, it is about $105,000. These costs, of course, are unreasonable for most small businesses.
The proposed rule covers more subjects than the ones discussed here. It does affirm that the CyberAB is the accreditation body for CMMC. As part of its responsibilities the CyberAB is to oversee the CMMC Assessor and Instructor Certification Organization (CAICO). The CAICO is responsible for the individuals and organizations involved in the certification, training, instructing, and quality assurance of the assessment eco-system. In addition, the proposed rule addressed issues regarding external service provider responsibilities and operational technology; implied in the rule is the point that these functions would be addressed at a later date.
The most important takeaway from the proposed rule is that the baseline requirement, the requirements and the assessment objectives outlined in NIST SP 800-171 have not changed. The audit requirement remains. Most companies will not be affected by the administrative details outlined in the proposed rule. For most companies, the goal is to meet the requirements, fill out the forms, pass the audit, and get the work done. The focus of effort for most companies in the DIB should be to work toward your compliance requirement level.