On October 11, 2024, the U.S. Department of Defense (DoD) at long last published a final rule establishing the Cybersecurity Maturity Model Certification (CMMC) Program (the Final Rule). Designed to ensure that federal contractors have implemented safeguards to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), the Final Rule sets up a new compliance framework for DoD contractors and subcontractors that process FCI or CUI.

The requirements include:

• robust assessments against the security control standards in FAR 52.204-21 and NIST SP 800-171;
• senior official compliance affirmations;
• potential third-party audits; and
• remediation plans to address gaps, and limitations on the use of Plans of Action and Milestones (POA&Ms) to satisfy gaps in unmet standards.

The Final Rule will bring both compliance challenges and increased False Claims Act (FCA) risk. Since cybersecurity compliance is already a focus of aggressive enforcement against federal contractors through the Department of Justice (DOJ) Civil Cyber-Fraud Initiative (CCFI), DoD contractors and subcontractors will need to understand the CMMC Program, how it applies to them, and implications for their legal risk profile and mitigation strategies.

This client alert (1) provides a high-level overview of the purpose and history of the CMMC Program; (2) describes the structure of the new rule and its impact on both prime contractors and subcontractors; and (3) discusses the implications of the new rule on FCA liability, particularly in the context of DOJ’s CCFI.¹

Though the CMMC Final Rule will become effective in December 2024, it will be applied to DoD contracts and subcontracts through forthcoming revisions to the Defense Federal Acquisition Regulation Supplement (DFARS), which are not expected to be finalized until early 2025. This implementation gap provides a further, limited opportunity for contractors and subcontractors to start internal assessments of implementation of the FAR 52.204-21 and NIST SP 800-171 security controls, as applicable, on systems that “process, store, or transmit” FCI or CUI. They should also consider who will be responsible for managing the company’s overall compliance with the program, and whom they will designate to furnish senior official attestations. The elevated stakes associated with CMMC compliance, especially with regard to FCA liability, will require government contractors and subcontractors to promptly identify their existing cybersecurity controls, in-scope systems, and mechanisms for ensuring subcontractor and supplier compliance.

History and Purpose

In November 2010, the Obama Administration released Executive Order 13556, which sought to standardize the treatment of and safeguards surrounding CUI. Early regulations implementing the Executive Order were based on a “self-attestation” model. The regulations allowed contractors to assess their own compliance with certain enumerated safeguards—generally defined by NIST SP 800-171. See, e.g., DFARS 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls; DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. In 2019, DoD announced the development of the CMMC Program, which formally transitions away from solely relying on a self-attestation model; under the CMMC Program, contractors processing sensitive data will require verification of compliance from a third party.

In an interim final rule published in September 2020, DoD established the basic structure of the CMMC Program: (1) a tiered model where requirements increase with the sensitivity of the data involved; (2) requirements for third-party assessments; and (3) a process for implementation through federal contracts and subcontracts. In response to significant criticism of the complexity of the interim rule, DoD released a revised proposed rule in November 2021 and a new proposed rule in December 2023, while retaining these three core features.

Structure of the Rule

Three-Tiered System

The Final Rule, codified at 32 C.F.R. part 170, establishes a three-tiered system that will apply to all contracts where a DoD contractor or subcontractor will process, store or transmit FCI or CUI on a nonfederal system, except for contracts valued under the micropurchase threshold or exclusively for the acquisition of commercially available off-the-shelf products. Once the program is implemented,² DoD solicitations will specify the minimum CMMC Status (Level 1, Level 2 or Level 3) required of a contractor in order to be eligible for award. If multiple contractor information systems will be used to process, store or transmit FCI or CUI during contract performance, each system will need to be assessed and meet the level applicable to the contract. 32 C.F.R. § 170.19. Furthermore, while contractors previously could submit an unlimited number of POA&Ms and technically remain in compliance with NIST SP 800-171, the new rule creates limitations on the use of POA&Ms to satisfy cybersecurity requirements by (1) banning outright the use of POA&Ms for certain levels; (2) setting time limits for reliance on POA&Ms; and (3) creating a minimum baseline threshold that entities must meet.

Level 1: To achieve Level 1 status, contractor and subcontractor information systems that process, store or transmit FCI will need to comply with the 15 security requirements outlined in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems. Contractors (referred to in the Final Rule as Organizations Seeking Assessments (OSAs)) will need to conduct an annual self-assessment and submit an affirmation of compliance in the DoD-administered Supplier Performance Risk System (SPRS) online platform. 32 CFR § 170.15(a)(1) and (2). An OSA must have already implemented all 15 basic safeguard requirements at the time it affirms compliance; an OSA will not achieve Level 1 status if it has any outstanding POA&Ms with regard to attaining the basic safeguards. 32 CFR § 170.21(a)(1).

Level 2: To achieve Level 2 status for systems that process, store or transmit CUI, the contractor must, as specified in the relevant solicitation or contract, either (i) conduct a self-assessment that demonstrates compliance with the 110 controls derived from NIST SP 800-171 Revision 2 (R2) (a Level 2 self-assessment) or (ii) engage a CMMC Third-Party Assessment Organization (C3PAO) to conduct the NIST SP 800-171 R2 assessment (a Level 2 certification assessment). 32 CFR § 170.16(a)(1); 32 CFR § 170.17(a). The Final Rule refers to a contractor seeking a Level 2 self-assessment as an OSA and a contractor seeking a third-party certification assessment as an Organization Seeking Certification (OSC). 32 CFR § 170.4. A contractor is permitted to submit their assessment with POA&Ms in place and receive conditional approval so long as the POA&Ms are completed within 180 days and the contractor maintains a base score of at least 88/110 (measured by the NIST SP 800-171 R 2 controls). 32 CFR § 170.21(a)(2). Affirmation of compliance must likewise be reported in SPRS; assessments are valid for three years.

Level 3: To achieve Level 3 status, for systems that process, store or transmit CUI that relates to DoD’s “most critical programs and technologies,” 32 CFR § 170.5(a), the OSC will be required to implement the 110 NIST 800-171 R2 controls as well as an additional 24 requirements derived from NIST SP 800-172. 32 CFR § 170.16(a)(1). The Final Rule does not define “most critical programs and technologies” but notes that “DoD will issue policy guidance to Program Managers to clarify which programmatic indicators should be considered for selecting the most appropriate information safeguarding requirement and associated CMMC assessment requirement for any given solicitation.” Level 3 assessments must be conducted by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). 32 CFR § 170.18(a)(1). As with the two lower levels, the OSA will need to affirm compliance in SPRS. 32 CFR § 170.18(a)(2). Finally, the OSA may receive conditional Level 3 status if their assessment contains POA&Ms, so long as more than 80% of the security requirements are met, the POA&Ms do not relate to certain core requirements, like cyber incident response protocols, and any POA&Ms are completed within 180 days. 32 CFR § 170.21(a)(3). 

Rollout Period

The CMMC Final Rule establishes a phased approach to implementation:

Phase 1—0–12 Months: Despite the nominal December 16, 2024, effective date of the Final Rule, Phase 1 will not begin until the companion DFARS rule is finalized and effective, which is expected to occur in early 2025. Once Phase 1 is in effect, all applicable DoD solicitations and contracts will be designated as requiring either CMMC Level 1 (Self) or Level 2 (Self) as a condition of contract award. DoD may, in its discretion, require Level 1 (Self) or Level 2 (Self) as a condition to exercising an option period on preexisting contracts or require Level 2 (C3PAO) for new awards.

Phase 2—12–24 Months: During Phase 2, CMMC Level 2 (C3PAO) requirements will apply as a condition of contract award for applicable contracts, though DoD may delay implementation of this requirement to an option period. DoD may also discretionarily elect to apply Level 3 (DIBCAC) requirements.

Phase 3—24–36 Months: During this phase, CMMC Level 2 (C3PAO) requirements will apply as a condition of award and as a condition to exercising an option period for applicable contracts. Level 3 (DIBCAC) requirements will apply as a condition of award for applicable contracts though DoD may, in its discretion, delay implementation of this requirement to an option period.

Phase 4—36+ Months: All CMMC Program requirements apply to all DoD solicitations and contracts, including exercise of option periods for contracts awarded prior to Phase 4 implementation.

Applicability to Subcontracts

The Final Rule applies the CMMC assessment, affirmation requirements and SPRS reporting requirements to subcontracts at all tiers that will process, store or transmit FCI or CUI in performance of the subcontract.

Subcontractors will be required—via mandatory “flow down” of the CMMC requirements into their subcontracts—to meet and maintain applicable CMMC levels as described above. 32 CFR § 170.23(a). Subcontractors that will only process, store or transmit FCI (thus, not CUI) must meet Level 1 (Self), even if the prime contractor has a higher level. Subcontractors that will process, store or transmit CUI in performance of the subcontract must comply with a minimum of Level 2 (Self), though Level 2 (C3PAO) will be required if the prime contract is subject to a Level 2 (C3PAO) requirement. If a prime contract has a Level 3 requirement, the minimum requirement for a subcontractor that processes, stores or transmits CUI will be Level 2 (C3PAO).

In addition to the subcontract flowdown requirements, prime contractors and higher-tier subcontractors will be required to ensure that they do not disseminate FCI or CUI to subcontractors that do not meet the minimum CMMC level required for the subcontract. The Final Rule clarifies that prime contractors and higher-tier subcontractors are not required to assess subcontractor implementation of or compliance with NIST 800-171. Since contractors will not have access to the information reported in SPRS by other entities, a prime contractor or higher-tier subcontractor would need to obtain from its subcontractors certifications or assurances of compliance with the relevant CMMC level.

False Claims Act Implications

In the comments to the proposed CMMC rule, several stakeholders expressed concern that “CMMC implementation would result in increased . . . pursuit of False Claims Act penalties by DoD against [Defense Industrial Base] companies.” In its response to this concern, DoD noted simply that it “lacks the authority to change the False Claims Act.” Regardless, concerns about the FCA implications of the Final Rule are particularly relevant given DOJ’s enforcement actions under its CCFI. DOJ formally established the CCFI in October 2021 when it announced that it would use the FCA as a means to ensure that government contractors comply with contractual and regulatory cybersecurity provisions, particularly cyber incident reporting requirements. DOJ has already announced six CCFI settlements, totaling $28.6 million, and there are several additional ongoing cases.

The CMMC Final Rule paves the way for additional enforcement actions by expressly requiring contractors and subcontractors to “affirm” their level of compliance both in response to contract solicitations and annually throughout contract performance. 32 CFR § 170.22(a).

Since contractors and subcontractors will be required to “affirm,” through a designated Affirming Official, that they comply with the CMMC as a condition of contract or subcontract award, we would expect FCA plaintiffs (DOJ and relators) to cite those affirmations as a basis for FCA liability.  In particular, plaintiffs could seek to pursue FCA cases under theories of fraudulent inducement, if the affirmation in the initial solicitation response was false, or false certification, if the contractor or subcontractor falsely affirms the “continuing compliance of their respective organizations” with the specified security requirements during the period of performance. 32 CFR § 170.22(a).

Of course, DOJ or a relator would still need to prove the other essential elements of an FCA case—scienter, materiality and causation. The DOJ’s CCFI is still in its infancy, and the caselaw regarding the FCA’s application to the DoD’s ever-evolving set of cybersecurity rules continues to develop.  What constitutes a knowingly false certification of attainment, whether such certifications are material, and the causative effect of such statements are likely to be central issues in future litigation.