Contractors in the defense industrial base, beware. After years of anticipation, the Department of Defense (DoD) finally published its final rule implementing Cybersecurity Maturity Model Certification 2.0 (“CMMC”) on October 15, 2024. CMMC is a regulatory framework to ensure that DoD contractors and subcontractors comply with cybersecurity requirements that have largely been in place since 2017. These standards now have teeth, and they require contractors to comply or potentially face steep consequences.
CMMC 2.0 Overview
The CMMC framework is designed to ensure that DoD contractors are meeting existing requirements in DFARS 252.204-7012, -7020, and -7021. CMMC applies to all DoD contractors that have access to sensitive, unclassified information labeled as either controlled unclassified information (“CUI”) or federal contract information (“FCI”). It requires contractors to implement cybersecurity standards at progressively advanced levels, depending on their access to confidential information.
Each tier represents a different level of security risk and a commensurate level of cybersecurity requirements. The specific level of cybersecurity requirements will be specified in each new solicitation. At the lowest tier (Level 1), contractors that access only FCI must meet the 15 specific cybersecurity requirements in FAR 52.204-21. They must also perform and verify an annual self-assessment, certifying to the government that they meet the required standards. At Level 2, contractors that access both FCI and CUI must meet the 110 security requirements listed in NIST SP 800-171, perform and verify an annual self-assessment, and undergo assessments every three years. These triennial assessments can be conducted by the contractor, or it can be conducted by a third party for a higher level of certification. And for Level 3, contractors with access to high-level CUI must also implement 24 additional selected security requirements from NIST SP 800-172, make an annual certification, and undergo a government-led assessment every three years.
CMMC’s requirements will be phased in over the next three years, with new restrictions being implemented every year after the initial December 16, 2024, implementation date. Each phase will implement additional restrictions, starting with implementation of Tier 1 requirements in the first phase and ending with the implementation of all three tiers by December 16, 2027. Although the phases specify a timetable for implementation of specific requirements, DoD retains some discretion as to which requirements are implemented in specific phases. The phased approach will give contractors additional time to implement the various NIST requirements, and it will allow time to develop an ecosystem of third-party assessors.
These CMMC requirements will apply not only to DoD contractors, but must flow down to all subcontracts that store or transmit protected information. Prime contractors will therefore have to ensure that their subcontractors obtain and maintain the proper CMMC certifications to perform the work.
Consequences for Contractors
The Government has multiple means of ensuring strict compliance with these cybersecurity rules:
- First, it can restrict future DoD contracts to contractors that have implemented the NIST standards, as verified by third-party assessments. Solicitations will specify the appropriate level of certification, and compliance with the appropriate requirements will be a condition of contract or option award. DoD can also insert CMMC 2.0 requirements into existing contracts through negotiated, bilateral modifications.
- Second, DoD can take “contractual remedies” against existing contractors that fail to take seriously their cybersecurity responsibilities. DoD has warned that failure to implement NIST requirements “may be considered a material breach of contract” that could be enforced by “withholding progress payments; foregoing remaining contract options; and potentially terminating the contract in part or in whole.”
- Third, the Department of Justice can prosecute False Claims Act cases against contractors based on allegedly false certifications that they meet the cybersecurity requirements. The DoJ has been ramping up this effort since it announced its Civil Cyber-Fraud Initiative in 2021, and it recently announced its first intervention in a False Claims Act suit based on alleged cybersecurity failures. On August 22, 2024, the DoJ announced that it would intervene in a suit against Georgia Institute of Technology (“Georgia Tech”), alleging that it failed to comply with existing cybersecurity requirements despite holding numerous DoD contracts. The DoJ alleges that the university falsely certified compliance with DoD cybersecurity requirements because “they wanted the money” and that such certifications are a “condition of contract award.” For example, the complaint alleges that Georgia Tech’s Astrolavos Lab—which holds contracts with DoD to study cybersecurity issues—“failed to enforce basic cybersecurity” measures at the lab and instead falsely certified that it was compliant based on “fictitious” self-assessments.
The Government’s lawsuit against Georgia Tech is likely only the tip of the iceberg. The False Claims Act provides significant incentives for whistleblowers to file suit, and the DoJ’s cybersecurity initiative opens a new avenue for such suits. These
suits must be filed under seal, such that not even the target of the suit will not know about the allegations until the Government and potential whistleblowers agree to reveal them after the Government investigates the claims. This process can take months or years. As a result, there may be many more such suits currently under seal that DoJ is pursuing.
Key Takeaways for Contractors
DoD contractors and subcontractors must be proactive in preparing for compliance, leveraging technology, engaging in training, and working with third-party assessments to ensure they meet the new requirements. They must ensure that they have plans in place to comply with the sometimes onerous NIST requirements. Cybersecurity compliance is a long-term process. Contractors must first understand the nature and extent of the controlled information that they access in their existing contracts and in contracts on which they wish to bid in the future. They must create detailed System Security Plans that help them prepare for any self-assessment or third-party assessment. Such assessments can be performed under the cloak of attorney-client privilege so that contractors can get honest, initial assessments of their state of readiness. Contractors seeking higher level certifications should also plan early with third-party assessors, whose services are currently in high demand.
Nichols Liu’s team can assist contractors with the implementation of the CMMC requirements. Please contact the authors of this article or the Nichols Liu attorney with whom you regularly work.
