Interview transcript:
Jared Serbu: Dan, we now have a final rule, actually multiple final rules, telling us where the Defense Department is headed with CMMC. It’s been a long time coming. As we sit here in the fall of 2025, I mean, generally, how would you assess the level of clarity that folks have about how this is going to play out once we start really moving into the implementation stage here?
Dan Ramish: Well, Jared, I would say there are some questions about how the rollout will take place and the final rule included in Title 48 actually created some new questions. So one of the big questions, there are two central pieces of the CMMC program, really. One of them is that over time, these verification requirements will be implemented and that’ll include for most contractors that have contracts involving CUI, a certified third-party assessment, but the other piece of CMMC is that contractors are actually going to have to have a passing score that they are implementing cybersecurity requirements whereas currently, they only need to do an assessment and report the summary scores of that assessment without reference to having a particular passing score, having implemented a certain number of the security requirements. So this is going to be a big deal starting November 10th. Some contracts will require contractors to have a certain level of cybersecurity implementation with regard to the 110 cybersecurity requirements in this data 171. The question is which contracts will have the CMMC clause and which won’t. And it’s going to matter so much because again it’s going to be an issue of eligibility for award. So you could lose out on a contract if you don’t have sufficient cybersecurity compliance. And the uncertainty here stems from the fact that there is language in the Title 32 rule and the Title 48 rule that is different. So the Title 32 rule suggests that DoD, as of Phase 1, which begins on November 10th, 2025, intended to include the CMMC statuses in clauses in all contracts and solicitations. Whereas the Title 48 rule, that came out in September, says that during the first three years the CMMC requirement will be included in only certain contracts. So it’s unclear which contracts will or won’t have it, or whether all contracts will have the CMMC clause or not.
Jared Serbu: But I think part of the take-home message there is you as a potential bidder or potential offer on any of these contracts have no control over what DoD ends up doing on any particular contract and whether the clauses are going to be included or not. So that probably means it’s time to be ready no matter what.
Dan Ramish: That’s right. Contractors shouldn’t be rolling the dice and potentially losing out on an important contract opportunity that may include the CMMC clause.
Jared Serbu: And so what do we know about, as you just did a great job of taking us through, there’s a lot of murkiness about which contracts are going to include this or not. But what do we know about sort of the process DoD is going to use to decide whether those clauses are going end up going into those contracts, at least during this first phase where they’re leaving themselves quite a bit of discretion?
Dan Ramish: So the Title 48 rule basically says that it’ll be up to the requiring activity to make the determination of CMMC that the CMMC program office will direct the component program offices as to inclusion of the requirement. The other issue, besides whether the clause will be in the contract at all, is whether self-assessment will be included or whether some contracts may include certification assessment for CMMC Level 2 and there’s discretion in that as well. There is a little bit more guidance as to that piece of it, when the decision might be made to include a certification assessment requirement. DoD’s frequently asked questions says that PMs should only make use of the discretion to include C3PAO assessment during Phase 1. When informed by adequate market research, there’s reason to believe there are enough qualified offerors, including their subcontractors, to provide adequate competition. So if there are enough contractors that have a certification assessment for a particular requirement, then there’s a greater chance that DoD might decide to include a certification assessment and you could lose out even if you have self-assessed and are compliant, either conditionally or fully compliant.
Jared Serbu: Yeah and one of the things that comes to mind here is it may be an incentive against over-classification in some cases here, of course, a problem that has been existent in the government for a long time. If you run into a situation now where whether you’re designating things as CUI or not could determine whether or not you need to have CMMC in a contract, that could be a fairly powerful force on the government side to at least make you take a second look at the requirements in your contract and say, ‘Hey, is this really CUI or not?’
Dan Ramish: Yes. Well, and the backdrop to that is that a significant portion of the defense industrial base isn’t at the full passing score as yet for CMMC Level 2. And there have been a number of studies, one of them fairly recently from a company called CyberSheath, that suggested that the median SPRS score based on 300 survey respondents was 60, whereas the full compliance score is 110. So a lot of contractors have work to do and DoD requiring activities, of course, want to get their products and services from the contractors. And so on the one hand, the cybersecurity concerns are real, the national security implications of cybersecurity are real. But on the other hand, the Department of Defense needs to get their stuff. And so this has always been the tension all along. And I hope that you’re right that as the stakes increase with the CMMC clause that the government will take a more serious look at what really needs to be marked as CUI and be more discerning in that. But part of the challenge is that there isn’t at this stage a standardized method for indicating, identifying what CUI will be involved in the given contract. That’s something that’s addressed in the FAR CUI proposed rule. But that is kind of on hold with the whole Revolutionary FAR Overhaul that’s taking place. So there’s still going to be some challenge and some need for informal communication between prime contractors and the government or between subcontractors and prime contractors to figure out even what is going to be CUI under a contract.
Jared Serbu: Yeah, I want to make sure I’ve got my head around that last piece. So you as a vendor, when you see an RFP, you may not necessarily know just based on those solicitation documents whether or not there’s going to be CUI involved in performance of the work. And you may not know at the outset whether or at what level you need to be compliant with CMMC. Is that the upshot of all that?
Dan Ramish: Well, so there will be a designation of what CMMC level is required. The clause will designate which CMMCs level is required, but just because CMMC Level 2 is designated for a given solicitation or contract, doesn’t mean that all information that is provided by the government or that’s generated in performance is going to be controlled on classified information and it’s important to know what specific information is subject to handling and dissemination controls because contractors need to take appropriate precautions and they may have CUI on some information systems and not on others. And so ensuring that they are properly directing the flow of materials that are actually CUI is critical for compliance with the cybersecurity requirements. And so if they don’t have that information, if that’s not clearly indicated in the contract because there is no standardized form for that to happen, as yet, that creates a challenge.
Jared Serbu: Yeah, and you mentioned earlier that this is not the time to roll the dice anymore. But are there some areas or windows where, depending on the type of work you do, you can get away with completely avoiding CMMC altogether? Are there places where contractors really can still play and not worry about anything that we’ve been talking about the last 10 minutes?
Dan Ramish: So this is a big point of debate because, so CMMC Level 1 is actually going to apply to the largest portion of the Defense Industrial Base. And CMMC Level 1 corresponds to the basic safeguarding requirements that are currently in the FAR and those requirements are intended to be less onerous, but they are government-unique requirements. And to get out of even CMMC Level 1, there are really two ways around it. One of them is, there is an exception for COTS items. So if a contract is solely for a COT, commercially available off the shelf, that’s one exception. There’s going to maybe be greater need to drill down on what specifically is COTS. Of course, we live in an age where if you’re buying something off the shelf, there may be different options, and if the same options are available to the government as are available in the commercial marketplace, does that still make it COTS? There are questions like that where there could be gray areas. The other piece is federal contract information. If there’s no federal contract information, then CMMC Level 1 isn’t going to be required, assuming there also is CUI. Federal contract information is just non-public government information that’s involved in the contract. And the way that is interpreted by the government is going to important because, of course, a lot of the information that is involved in contract performance is going to be accessible through the Freedom of Information Act. But the Department of Defense declined to say that anything that’s foible is not FCI. So it may be challenging to demonstrate that you don’t have any non-public federal information. There are going to be some exceptions if the government makes the information publicly available like on a public website or certain financial payment information isn’t going to be FCI. But short of that, I think it will be interesting to see whether there are questions about getting out of CMMC altogether based on the lack of FCI.
The post New CMMC rules take effect Monday, with contractors facing uncertainties first appeared on Federal News Network.