“Cyberattacks have emerged as one of the most significant threats to our homeland,” says Secretary of Homeland Security Alejandro N. Mayorkas. He is not wrong. Global cybercrime costs are expected to reach $10.5 trillion annually by 2025. The global average cost of a data breach in 2024 reached $4.88 Million—a 10% increase over 2023 and the highest total ever. (Cost of a Data Breach Report, 2024, IBM). The government must navigate this reality, and contractors must be ready to adapt and comply to remain competitive.
Indeed, the U.S. Department of Defense (“DoD”) published the final rule to establish the Cybersecurity Maturity Model Certification Program 2.0 (“CMMC 2.0”) on October 15, 2024. This amended Title 32 of the Code of Federal Regulations. The final rule, effective December 16, 2024, marks a significant shift for current and future DoD contractors. It is a clear signal of sweeping changes on the horizon for government contract law. Smith Currie Oles is here to discuss practical effects, consequences, and strategies federal contractors can take away from the final rule and the DoD’s commentary.
The final rule sets up a new compliance framework for DoD contractors and subcontractors that process Federal Contract Information (“FCI”) and Controlled Unclassified Information (“CUI”). Under this final rule, contractors will be required to maintain cybersecurity certification. Obtaining the requisite certification level and uploading affirmation into the Supplier Risk Performance System (“SPRS”) will be a condition of contract award. CMMC 2.0 will be rolled out in four phases. Preparing now is paramount for contractors’ competitiveness.
The DoD also proposed a rule to amend the Defense Federal Acquisition Regulation Supplement (“Proposed DFARS Rule”). The Proposed DFARS Rule provides standard contracting clauses to implement CMMC 2.0 in solicitations and contracts and establishes processes to determine CMMC 2.0 compliance prior to contract award. In addition, the Proposed DFARS Rule includes a new provision, “Notice of Cybersecurity Maturity Model Certification Level Requirements.” This provision requires that contractors be notified of the CMMC 2.0 level required by the solicitation and of the proof of compliance required to be submitted in SPRS. The Proposed DFARS Rule is set to be finalized in early 2025. The Proposed DFARS Rule’s effective date will initiate CMMC 2.0’s phased rollout. At the same time, the DoD may include CMMC 2.0 requirements in contracts before the Proposed DFARS Rule is finalized. We surmise that if the government can include the requirements, it will. Thus, contractors should prepare.
CCMC 2.0 Requirements: A General Overview
CMMC 2.0 maintains a tiered certification model consisting of Levels 1 through 3 (with heightened requirements for each successive level). Contractors and subcontractors must meet one (or more) of the three certification levels, as determined on a contract-by-contract basis by a senior DoD official. Contractors that achieve Level 1 Certification will be permitted to handle FCI. Contractors that achieve Level 2 and 3 Certification can handle CUI.
Contractors and subcontractors affected by CMMC 2.0 should thoroughly review its requirements. A common requirement across all levels is the annual submission of a formal affirmation verifying the contractor’s compliance with CMMC 2.0 standards. While these intensified responsibilities and reporting requirements will be used to ensure contractor compliance with CMMC 2.0 standards, they also increase contractors’ exposure to liability for misrepresentations or even simple inaccuracies under the False Claims Act (“FCA”).
Level 1 Certification is the most basic cybersecurity level of CMMC 2.0. It addresses safeguarding FCI. Contractors at this level must comply with the fifteen existing cybersecurity standards in Federal Acquisition Regulation (“FAR”) 52.204-21. Under the Level 1 Certification, contractors must self-assess their compliance and submit a self-assessment to the SPRS.
Level 2 Certification applies to contractors handling CUI. This level requires contractors to implement the 110 security controls existing under revision 2.0 of NIST SP 800-171. While some contractors at Level 2 may be able to self-certify their CMMC compliance, most will be required to have an independent third party (“CMMC Third-Party Assessment Organizations” or “C3PAO”) assess their compliance. These third-party assessments are valid for three years.
Level 3 Certification provides CUI protections associated with “a critical program or high-value asset.” Contractors required to obtain Level 3 Certification must also be Level 2 Certified, implementing the 110 security controls under revision 2.0 of NIST SP 800-171, in addition to 24 security requirements from NIST’s SP 800-172. Assessments of Level 3 compliance will be conducted by the DoD’s Internal Defense Industrial Base Cybersecurity Assessment Center.
Impacts of CCMC 2.0
CMMC 2.0’s impact will undoubtedly be significant. Thousands of contractors and subcontractors must meet at least one of the CMMC 2.0 level certifications. This creates heightened responsibility for implementing and monitoring internal processes to safeguard information, with increased reporting requirements and heightened exposure to contract termination and liability under the FCA. There has been a rise in FCA claims relating to cybersecurity in recent months, and CMMC 2.0 will add yet another source of potential legal and compliance risk.
Even though the CMMC 2.0 program will be implemented in phases, contractors can and should take action now to prepare themselves for what is to come. Contractors must assess their work, determine what certification level may apply, and determine the funding and resources required to comply. Moreover, despite the phased roll out, contractors may immediately seek a CMMC 2.0 certification assessment before the Proposed DFARS Rule is finalized and any clauses are added to new or existing DoD contracts.
Contractors navigating CMMC 2.0 must address solicitation requirements, challenge inappropriate CMMC 2.0 designations early, and ensure compliance at every stage to avoid FCA liability. Small businesses should remain aware of financial challenges, while joint ventures must verify compliance for all members handling CUI or FCI. Additionally, contractors should assess the impact of mergers or acquisitions on their CMMC 2.0 status and adapt as necessary.
Smith Currie Oles will be monitoring changes to, and impacts of, the CMMC 2.0 program, and stands ready to provide guidance and assistance to contractors in meeting these complex requirements and safeguarding their interests.
Smith Currie Oles provides comprehensive legal services to all parts of the construction industry across the nation. Smith Currie lawyers have decades of demonstrated success representing construction and federal government contracting clients “From the Ground Up,” including procurement matters, contract formation and negotiation, project administration, claims prosecution and, when necessary, in litigation and other forms of dispute resolution.
The views expressed in this article are not necessarily those of ConsensusDocs. Readers should not take or refrain from taking any action based on any information without first seeking legal advice.