New proposed rule for CMMC 2.0 lays out security requirements, raises some eyebrows

WASHINGTON — The Defense Department recently released a new proposed rule for its Cybersecurity Maturity Model Certification program, laying out specific security requirements for defense contractors and subcontractors — and resurfacing questions about the balance between bottom-line security and regulatory burden.

“In simple terms, the message is: We’ve told you for years to improve your cyber protection; we mean it,” Robert Metzger, a lawyer specializing in government contracts, told Breaking Defense on Tuesday.

The new rule, published Dec. 26, comes after the Pentagon announced CMMC 2.0 in November 2019, an enhanced version of the cyber certification program aimed at strengthening the cybersecurity of the defense industrial base by mandate. The Pentagon said the proposed rule revised parts of CMMC to address public concerns around the initial version of the program. Now, the program will allow self-assessment for some requirements, “priorities for protecting DoD information” and “reinforced cooperation between the DoD and industry in addressing evolving threats.”

At its most basic level, under CMMC 2.0, defense contractors and subcontractors that have access to controlled unclassified information (CUI) will be required to demonstrate the “maturity” of their cybersecurity programs against a set of increasingly advanced capabilities. 

CMMC 2.0 includes a three-level scale through which contractors must implement cybersecurity standards. The proposed rule reaffirmed that companies that handle CUI will be required by DoD to adhere to controls set by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. 

“DoD clearly decided that it expects not only larger companies, but most small businesses to comply [with] cyber requirements of NIST SP 800-171,” said Metzger, who practices at Rogers Joseph and O’Donnell.

Metzger said he believed that decision was “threat-driven,” as the proposed rule references adversary targeting of the defense supply chain. (In February 2022 DoD Chief Information Officer John Sherman said CMMC 2.0 itself was “basic hygiene to raise the water level to make sure we can protect our sensitive data” from prying eyes of China or Russia.)

But that kind of basic hygiene is mandatory, and some observers have eyed the would-be regulations suspiciously. The proposed rule, for instance, also sets forth a new requirement for contractors and subcontractors to annually affirm their compliance with specified security requirements for each level of CMMC 2.0.

Eric Crusius, partner at Holland & Knight LLP, said during a town hall on Tuesday hosted by the Cyber AB, the official accreditation body of CMMC, that the affirmations “have False Claims Act risk written all over it” and it’s a “red flag that DoD and [the Department of Justice] will try to tie contractors to these affirmations.”

“So as an organization, you may have three separate affirmations that can be filed at different times throughout the year depending on your ecosystem and what you’re required to do,” he said. “Also, changes to the system could require a new certification. Who makes that judgment and how that judgment is made can also be subject to a False Claims Act risk… . So all that to be said, it points to the direction that the contractor has to be so careful when dealing with the CMMC program and ensuring that they’ve dotted all their i’s, crossed all their t’s and if they can afford it, bring in third parties who know this stuff really well and that can help them out.”

Eric Fanning, president and CEO of Aerospace Industries Association, appeared to take a wait-and-see approach in a Dec. 26 statement that called on DoD to identify and define CUI.

“Burdensome regulation has long been a hurdle, particularly for small and medium-sized businesses that contribute to the defense industrial base,” Fanning said. “It’s critical for defense companies to have the tools — and the standards — to keep our nation’s sensitive unclassified material secure while not deterring companies from contributing to the defense industrial base.”

He said AIA looked forward to providing feedback for a final rule.

Eric Noonan, CEO of CyberSheath and former BAE Systems CISO, pointed out that however CMMC 2.0 is implemented, its standards might need to extend not just to American contractors and subcontractors, but to defense firms and other entities the world over with whom American firms do business.

“Because if we’re sharing controlled unclassified information (CUI) with a supplier who is in another country, that supplier is considered ‘in scope’ of the guidelines,” Noonan said in a statement to Breaking Defense. “Our national supply chain must be cautious with the kinds of data that they’ve been entrusted with by the DoD. But I also think that we should push to have support for everybody — all foreign governments and supply chains should be in final agreement that we need to protect this kind of sensitive data, both ours and their own.”

At the same time, the rule is still unfinished, in part because it only addresses Title 32 of the Code of Federal Regulations and not Title 48, “which is where contract clauses reside that are necessary to implement obligations upon contractors,” Metzger said. DoD has said it will pursue rule making in both Title 32 and 48. 

“These two parts — the internal (32 CFR) and external (48 CFR) must be synchronized before CMMC can be made operational in contract solicitations,” Metzger said. “We’re told not to expect the needed update of existing Title 48 cyber rules until this March.”

Companies have until Feb. 26 to submit comments. The final rule itself probably won’t go into effect until early 2025, Metzger predicted.