The Defense Department’s long-awaited proposed rule for the Cybersecurity Maturity Model Certification program lays out DoD’s plan to introduce the CMMC requirements over the next three years.

The proposed rule, released today and scheduled to be published in the Federal Register on Dec. 26, would establish requirements “for a comprehensive and scalable assessment mechanism” to ensure defense contractors are implementing required security protections.

DoD already has a provision in its contracts requiring companies that handle controlled unclassified information to protect it in accordance with controls set by the National Institute of Standards and Technology. 

But DoD has not typically checked whether contractors actually follow those requirements. And with persistent and mounting concerns about foreign adversaries stealing sensitive data from the networks of defense contractors, the CMMC program is intended to check whether companies meet the standards before contract award.

“Under CMMC, compliance will be checked by independent third-party assessors certified by DoD,” the proposed rule states.

The Pentagon first announced CMMC in 2019. But the original program faced pushback, largely due to concerns about the cost on small businesses. DoD launched a lengthy review and then significantly revamped the CMMC program in late 2021, scaling back some of the certification requirements for contractors working with less sensitive data.

The proposed rule released today would implement the “CMMC 2.0” plan. The requirements will not become effective until DoD finalizes the rule after a public comment period. DoD officials have previously said they don’t expect to issue a final rule until next fall.

Comments on the proposed rule will be due Feb. 24.

Once CMMC become effective, DoD will implement the program under a four-phased plan that will see CMMC requirements in all solicitations for contracts involving CUI or federal contracting information by Oct. 1, 2026, according to the proposed rule.

At the same time, the rule gives DoD program offices wide latitude to implement CMMC requirements as they see fit, once they’re finalized.

“In the intervening period, DoD Program Managers will have discretion to include CMMC requirements in accordance with DoD policies,” the proposed rule states.

The first phase of the implementation plan will begin when DoD finalizes CMMC contracting rules under a forthcoming change to the Defense Federal Acquisition Regulation Supplement.

During that initial phase, DoD will focus on introducing CMMC’s self-assessment requirements across all new solicitations and contract options. The self-assessment requirements are intended for contracts involving federal contract information, as well as CUI that’s considered less sensitive.

Phase two begins six months later and will involve DoD implementing the certification assessment requirements under “level two” of CMMC. Those requirements require contractors to get a certification from a third-party assessment organization, representing the major change under the CMMC program.

“The department anticipates it will take two years for companies with existing contracts to become CMMC certified,” the proposed rule states.

Phase three will begin one year after the second phase and involve DoD introducing the “level three” requirements, which are for contracts involving the most sensitive CUI. Level three assessments are done by DoD itself, not third-party groups.

A CMMC certification is valid for three years under the proposed rule.

Phase four is the “full implementation” of the CMMC requirements and begins one calendar year after the start of phase three.

In addition to giving contractors time to digest the requirements, the phased implementation plan is also expected to give the Cyber Accreditation Body enough time to establish a sufficient number of CMMC Third-Party Assessment Organizations, known as C3PAOs.

The proposed timeline “is intended to address ramp-up issues, provide time to train the necessary number of assessors, and allow companies the time needed to understand and implement CMMC requirements,” the rule states.

“An extension of the implementation period or other solutions may be considered in the future to mitigate any C3PAO capacity issues, but the department has no such plans at this time,” it continues. “If changes to the implementation plan occur, DoD policies that govern requirements definition in the acquisition process will be modified.”

Affirmation requirements

Among the notable changes in the proposed rule is the introduction of “affirmation” requirements throughout the CMMC program. They would require a senior official from the prime contractor and any applicable subcontractor to affirm to complying with the cybersecurity requirements.

Michael Gruden, a counsel in Crowell & Moring’s Washington, D.C. office, said the affirmation requirements are notable when considering the Justice Department’s Civil Cyber Fraud Initiative and the increase in False Claims Act cases being brought against contractors accused of misrepresenting their compliance with contractual cybersecurity requirements.

“When we think about all of this in conjunction with these affirmations that are being incorporated throughout CMMC, it’s really the government indicating to the contractor community that they are elevating these requirements, and putting the contractor in the seat of controlling their own destiny with regards to compliance and potential enforcement actions,” Gruden said.

POA&Ms an ‘olive branch’

Meanwhile, the proposed rule also allows for “conditional” self-assessments and certifications. In cases where contractors can’t fully meet every requirement, they’re allowed to defer some into Plans of Action and Milestones (POA&Ms).

Those plans must then be closed out within 180 days. Gruden called it an “olive branch” to the contractor community.

“That is one way I see DoD leaning forward to the contractor community and saying, we understand that some of these controls take time. And so we’re going to meet in the middle and afford you this opportunity that even if you’re conditionally self-assessed or certified, you still would be eligible to be awarded contracts,” Gruden said.