CMMC rulemaking: Where are we now?

The Cybersecurity Maturity Model Certification (CMMC) proposed rule is making its way through the rulemaking process. The rule was submitted by the Department of Defense (DOD) on Dec. 26, 2023, and the public comment period on the rule closed at the end of February. This is a normal part of the rulemaking process. The DOD now needs to respond to those comments.

As expected, the rulemaking has created much attention and there were 787 comments received. What can we learn about the industry and some of the looming challenges that contractors will face? We have attempted to review the comments and share insights that were discovered in this series.

Some of the comments were clearly anticipated. Interestingly, the DOD still had comments from prior rulemaking that they attempted to address in the proposed rule.

Let’s begin by examining those comments:

Subcontractor applicability to scope

The DOD noted there were several comments about who the CMMC rule would and would not apply to. The DOD clarified in their response that the CMMC requirements would only apply to contractors that handle Controlled Unclassified Information (CUI), for Level 2 and 3, or Federal Contract Information (FCI) for Level 1. This is helpful to understand as subcontractor readiness for CMMC will be a problem for many primes. This means that if you work with a subcontractor that might not be ready for CMMC Level 2, you might be able to still use them if they don’t handle CUI in their systems. Understanding or determining ways for those contractors to perform without handling CUI can be a bit tricky. The interesting part that we have not seen is the CMMC contract clauses and how those would apply to subcontractors. The DOD’s answer to the comment does suggest that contractors do not need to flow down CMMC requirements to contractors that do not handle CUI or FCI in their systems. However, if the CMMC clause says that all contractors that work on the contract must be CMMC certified, that would cause issues to this approach. We will have to watch as rulemaking is expected for the contract clauses that will appear in contracts later this year.

The response also helped to clarify that internet service providers, or similar common carriers, were not going to be subject to CMMC unless they pursued contracts directly. The answers seemed to help confirm the scoping guide which allows the use of both physical and logical barriers to establish barriers and scope out certain applications from the certification boundary. This is helpful confirmation and further validates using such physical and logical solutions like encryption to minimize the scope of your CMMC boundary.

Joint ventures

The DOD noted there were questions of how CMMC certifications would apply to joint ventures. Sadly, in their answer they noted that this proposed rule addresses how the CMMC program would work but did not expound on “changes to current DOD solicitation provisions and contract clauses, including DFARS clause 252.204-7021.” So, the answer is a bit lacking. There is, however, a note that the CMMC requirements would apply to contractor systems that handle CUI and FCI. From context and best understanding, we suggest that joint ventures are not going to be exempt from CMMC. If the joint venture has its own Commercial and Government Entity (CAGE) code and systems, then those systems need to be subject to CMMC and a certification should be sought for that boundary. If the joint venture uses the systems of one or both parents, and those systems are already subject to CMMC certification, it makes sense that the joint venture could inherit those certifications. Our recommendation is that as a joint venture forms, the management team should carefully consider the systems and certifications to avoid problems.

One interesting byproduct could be that CMMC makes forming new joint ventures harder. If the joint venture is going to have its own systems, then those systems will need to be established and certified prior to pursuing the work. No longer are the days of standing up the systems after contract award and funding is provided. Contracts requiring CMMC will mean a system must be operational to be assessed and that all must happen prior to contract award. This might cause more joint ventures to use their parent’s systems and associated certification or could be a barrier to forming joint ventures.

Operational technology/specialized assets

Early in the CMMC journey, this question was raised. Around the time that CMMC 2.0 was announced, the DOD provided Scoping Guidance. The DOD introduced a category of specialized assets within the Scope Guides. Specialized assets are defined as “government property, Internet of Things (IoT) devices, Operational Technology (OT), Restricted Information Systems, and Test Equipment.” The proposed rule also confirms this scope guidance. For a Level 2 assessment, the specialized assets are not going to be tested. This means most of a contractor’s specialized assets will not be tested as part of CMMC.

However, a subset of contractors will be trying to achieve Level 3 certification. During the proceeding certification at Level 2, the specialized assets must be tested. This is an interesting development. The proposed rule also states, “it is permissible to use intermediary devices to provide the capability for the specialized asset to meet CMMC Level 3 security requirements.” This indicates that you can do things to address any shortcomings of the systems. For example, if the system can’t support multi-factor authentication, then having a workaround such as a locked door and the ability to access the system might be an acceptable answer. The problem is that “intermediary devices” are not yet clearly defined. While it is good news that all practices for specialized assets will not be tested, for those contractors that are seeking Level 3 the controls must be fully implemented even for specialized assets prior to seeking Level 3 certification. This further enforces our recommendation that Level 3 should be reserved for enclaves and not planned for the entire enterprise for most companies.

Fundamental research

While the DOD attempted to agree that fundamental research is not, by definition, CUI or FCI because it is “shared broadly within the scientific community,” the DOD went on to say that if the information handled is FCI or CUI, then CMMC applies. This then comes down to clearly understanding what you are handling and if it requires CMMC. Our view is that many times the defense application of fundamental research is what the DOD is seeking. With many of their grants, it is highly likely that at least some portion of the research funding is going to be considered CUI and, therefore, CMMC applies. Many universities were hoping to get a pass on CMMC but unfortunately it does not appear to be the case.

International implications of CMMC

The DOD clarified a number of comments about the implications of CMMC for international subcontracting and international operations. The DOD chose to address this by suggesting that you simply need to comply with the contract no matter the domestic or international delivery. While obvious, the answer seems to miss some of the confusion. There seems to be a misunderstanding that CMMC requires that only U.S. citizens may handle the data. There are certain subsets of CUI that have dissemination controls applied that require only U.S. citizens to handle the data. However, there are equally many types of CUI that do not carry such dissemination controls. Therefore, CMMC does not require data be handled by only U.S. persons. Accordingly, CMMC certifications likely can be awarded to international entities if all the other requirements are adequately satisfied. Unfortunately, if your international subcontractor thinks CMMC does not apply to them, it could be a problem for your ability to leverage that entity on future contracts.

CUI markings

The DOD received many comments about CUI marking or the lack thereof. The DOD stated the CMMC does not change the requirements to protect CUI. Those requirements are established by the National Archives and Records Association (NARA) and 32 Code of Federal Regulations (CFR) 2002. The intention behind many of the questions seemed to be if CUI isn’t marked then the contractor shouldn’t have anything to do. The DOD responded by indicating they are responsible for marking and the contractors are responsible for protecting.

During the next installment of this insight series, we will examine the comments from contractors. Our strongest bit of advice—stay informed of all updates and advancements as the final rulemaking process unfolds. Paying careful attention to the nuances that might impact your company and anticipating those challenges will help you stay prepared. If you want to discuss any of these points, please contact a Baker Tilly professional.