January 23, 2022

Volume XII, Number 23


January 21, 2022

Subscribe to Latest Legal News and Analysis

January 20, 2022

Subscribe to Latest Legal News and Analysis

CMMC 2.0 Brings Increased Flexibility — and Increased Risks — for Contractors

Defense contractors and their subcontractors and supply chains that have been preparing for the challenge of complying with the Cybersecurity Maturity Model Certification (CMMC) recently received some welcome news from the U.S. Department of Defense (DoD): DoD is revamping the strategic direction of CMMC via a new “CMMC 2.0” framework that provides additional flexibility to the defense supply chain in how it addresses the cybersecurity requirements for defense contracts. That additional flexibility includes the ability to self-certify compliance in some circumstances, as opposed to obtaining third-party certifications, and to use Plans of Action and Milestones (commonly referred to as POA&Ms) to address certain requirements that a contractor has not yet achieved as of the date of contract award. While this enhanced flexibility is good news for contractors, it does carry increased risk given the U.S. Department of Justice’s recent announcement of a new “Civil Cyber-Fraud Initiative” that will place increased focus on potential false claims related to a federal contractor’s compliance with contractual cybersecurity and cyber incident reporting requirements. In this article, we discuss the significant changes announced in the new CMMC 2.0 framework and the impact of those changes on companies performing — or seeking to perform — defense contracts, including as subcontractors or suppliers.

Fewer Levels and Cybersecurity Requirements

“CMMC 2.0,” as DoD has branded its revised CMMC framework, reduces the number of certification levels from five to three: Level 1 (Foundational), for contractors who will access only federal contract information; Level 2 (Advanced), for contractors who will access controlled unclassified information (CUI); and Level 3 (Expert), for contractors who will access CUI and will work on programs of the highest priority for DoD. The new Level 1 will correspond to prior Level 1, while the new Level 2 will correspond to prior Level 3, and the new Level 3 will correspond to prior Level 5.

Additionally, CMMC 2.0 eliminates all CMMC-unique practices, meaning that for CMMC 2.0 Levels 2 and 3, the required cybersecurity practices will all come from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 and NIST SP 800-172 (formerly known as Draft NIST SP 800-171B). Specifically, CMMC 2.0 Level 2 will require compliance with 110 cybersecurity practices that are aligned with the NIST SP 800-171, which many DoD contractors already are required to implement under DFARS clause 252.204-7012. The corresponding level under CMMC 1.0 would have required contractors to comply with the 110 NIST SP 800-171 practices plus 20 other practices and three processes. In addition, CMMC 2.0 Level 3, which is currently under development, will be based on a subset of NIST SP 800-172 requirements, in addition to requiring compliance with all 110 cybersecurity practices that are aligned with NIST SP 800-171. The corresponding level under CMMC 1.0 would have required contractors to comply with additional practices that did not originate from NIST SP 800-171 or NIST 800-172 plus five processes.Thus, CMMC 2.0 both reduces the number of required cybersecurity practices and fully aligns those requirements with NIST SP 800-171 and NIST SP 800-172, as applicable.

Self-Assessments Now Possible for Some Contractors, But Carry Risks

CMMC 2.0 also relaxes the prior requirement that all DoD contractors, subcontractors, and suppliers undergo, and pass, assessments by CMMC Third-Party Assessment Organizations (C3PAOs) to achieve CMMC certification. Under CMMC 2.0, all companies at Level 1 and a subset of companies at Level 2 can demonstrate compliance with their respective CMMC level through annual self-assessments made by a senior official of the company.

Under Level 2, self-assessment will be permitted for “non-prioritized acquisitions.” DoD will determine on a contract-by-contract basis whether the data at issue in the contract will render the contract a “prioritized acquisition.” The ability to perform self-assessments for Level 1 and many contracts under Level 2 should reduce the cost of the assessment process for companies that can do a self-assessment instead of engaging a C3PAO. For “prioritized acquisitions” that require CMMC Level 2, contractors will continue to need to be certified by C3PAOs every three years.

While the ability to rely on self-assessments rather than third-party certifications affords greater flexibility to defense contractors and suppliers, DoD’s plan to implement the self-assessment through the attestation of a senior company official will heighten the risk of allegations that the contractor’s self-attestation constituted a false claim if the self-attestation is later determined to have been inaccurate. False claims can subject a contractor to treble damages and stiff statutory penalties per claim under the False Claims Act. With the recent launch of its new Civil Cyber-Fraud Initiative, the U.S. Department of Justice has announced its intent to use the False Claims Act to “hold accountable entities or individuals that put U.S. information or systems at risk by . . . knowingly misrepresenting their cybersecurity practices or protocols,” increasing the likelihood of enforcement of the False Claims Act in the context of CMMC self-attestations. Further, whistleblowers can bring suit on behalf of the government under the False Claims Act and share in the recovery. In addition, submission of false claims constitute federal crimes. In light of those increased civil and criminal enforcement risks, some contractors otherwise eligible to self-attest their cybersecurity practices may instead elect to rely on third-party certifications. Entities who perform third-party certifications could then face False Claims Act exposure if their certifications are false, causing the contractor to submit false claims.

Moreover, contractors that intend to pursue CMMC Level 2 contract (or subcontracting) opportunities will likely want to undergo an assessment by a C3PAO in case DoD designates a key Level 2 opportunity as a “prioritized acquisition” requiring third-party certification. Unless DoD identifies clear criteria for determining what is a “prioritized acquisition,” potential offerors that only wish to self-assess at Level 2, or cannot complete a C3PAO assessment by the time proposals are due, might consider filing pre-award protests objecting to the classification of a procurement as a “prioritized acquisition.” DoD also has not yet clarified whether prime contractors can allow subcontractors to self-assess at a Level 2 when the prime contract is considered a “prioritized acquisition” that requires a C3PAO assessment.

For CMMC Level 3, assessments will be performed by government officials, and not by C3PAOs, every three years. The Level 3 assessments will work similarly to the “High Assessment” required for certain existing contracts under DFARS 252.204-7020.

POA&Ms Permitted as Temporary “IOUs” for Certain Requirements

DoD stated that CMMC 2.0 will allow for greater flexibility in implementation, as DoD would allow companies, under certain limited circumstances, to adopt POA&Ms to achieve certification. DoD’s intent is to specify certain of the cybersecurity practices as the “baseline” the contractor must meet prior to contract award but to afford the contractor the ability to meet the remaining requirements “within a clearly defined timeline.” This change would eliminate the strict pass/fail nature of CMMC 1.0, under which failure to have achieved a single one of the required security controls would preclude certification. DoD expects the POA&Ms to be in place for a fixed time period, such as up to 180 days, at which point the contractor must meet all of the applicable CMMC practices or face contractual remedies. DoD also intends to identify a subset of CMMC practices so fundamental that they cannot be met with POA&Ms.

When Do Companies Need to Comply With CMMC 2.0?

In 2020, DoD issued an interim rule to begin the phased implementation of the CMMC 1.0 requirements into DoD contracts. DoD’s announcement of CMMC 2.0 effectively hits the “reset” button on that rulemaking, as DoD announced that CMMC 2.0 will be implemented through its own yet-to-be-issued interim rule. DoD estimates that the CMMC 2.0 rulemaking process will take between nine and 24 months. Presumably, this means all contractors will need to prepare for CMMC 2.0 compliance by November 2023, at the latest.

Until the CMMC 2.0 rulemaking is complete, DoD will not include a CMMC requirement in any DoD solicitations. DoD has said it is exploring opportunities to provide incentives for contractors who voluntarily obtain a CMMC 2.0 Level 2 certification in the interim period before CMMC 2.0 is mandatory, but until C3PAOs can be certified for CMMC 2.0, achieving CMMC 2.0 Level 2 can only be achieved through self-assessment.

What Should DoD Contractors, Subcontractors, and Suppliers Do Now?

With DoD’s recent announcement about CMMC 2.0, DoD has effectively kicked the can down the road for DoD contractors to achieve CMMC certification, and eliminated the need for C3PAO assessments for many DoD contractors. Going forward, DoD contractors, subcontractors, and suppliers should take the following steps to prepare for the eventual rollout of CMMC certification:

  • Watch for announcements about proposed rulemakings with respect to CMMC;

  • Monitor DoD’s CMMC website for detailed information about the CMMC 2.0 framework, which DoD intends to provide by the end of November 2021;

  • Perform NIST SP 800-171 self-assessments as required by DFARS 252.204-7020;

  • Maintain the cybersecurity standards identified in the company’s NIST SP 800-171 self-assessment, which will prepare the company for CMMC 2.0 Level 2 (if necessary);

  • If the company anticipates needing a CMMC 2.0 Level 3 certification in the future, review the detailed information about CMMC 2.0 Level 3 when it is released to determine any steps needed to meet CMMC 2.0 Level 3 requirements; and

  • Review and strengthen compliance programs to ensure False Claims Act compliance, including robust policies and practices for handling whistleblower complaints that could become False Claims Act suits if not handled well.


© 2022 Foley & Lardner LLPNational Law Review, Volume XI, Number 323

About this Author

David T. Ralston Jr., Foley Lardner, Contract Litigation Lawyer, Manufacturing

David T. Ralston, Jr. is a partner and business lawyer in the Washington, D.C. office of Foley & Lardner LLP where his practice focuses on government contract litigation and counseling; rail and air transportation; national and homeland security. He chairs Foley’s Government & Public Policy Practice.

Mr. Ralston has handled virtually all aspects of government contracts, including bid and small business size protests, claims, defective pricing, intellectual property, qui tam litigation, and Cost Accounting Standards matters. He has...

Frank Murray, Government Contractors, procurement law, Foley Lardner Law Firm

Frank Murray, Jr. is senior counsel and a business lawyer with Foley & Lardner LLP where he focuses his practice on issues related to government procurement and supply chain regulation. He is a member of the firm’s Government & Public Policy and Government Procurement Supply Chain Regulation Practices and the Automotive Industry Team.

Mr. Murray advises government contractors and commercial clients seeking to do business with the federal government on wide-ranging procurement law issues, including both pre-award and post-award bid...

Erin L. Toomey, Foley Lardner, Government Contracts Attorney

Erin L. Toomey is a partner and government contracts attorney at Foley & Lardner LLP, where she assists companies to reduce their risk and maximize their recovery when contracting with the government. Ms. Toomey represents clients in a range of industries, including automotive, aerospace, construction, and health care, and counsels such clients in all areas of government procurement, employing innovative and effective legal strategies to protect and promote her clients’ objectives. In recognition of Ms. Toomey’s and her colleagues’ work in this area, Foley’s...

Julia Di Vito Government Compliance Lawyer Foley & Lardner Law Firm

Julia Di Vito is an associate and government contracts lawyer with Foley & Lardner LLP. She represents large and small businesses that are government prime contractors and subcontractors. 

Julia represents government contractors in bid protests before the U.S. Government Accountability Office, the U.S. Court of Federal Claims and state agencies. In addition, Julia drafts requests for equitable adjustment and claims under federal government contracts, and litigates appeals of government contracts claims. 

Julia also assists government prime contractors and subcontractors...

Jennifer L. Urban Data Security Attorney Foley & Lardner Milwaukee, WI

Jennifer L. Urban (formerly Rathburn) is a partner with Foley & Lardner LLP. Jennifer focuses her practice on counseling clients on data protection programs, data incident management, breach response and recovery, monetization of data and other privacy and security issues. She is one of the founders of the Midwest Cyber Security Alliance and has a deep understanding of the complex risk, operational and legal issues companies must address to maintain the confidentiality of, access toand integrity of their data.

As a member of the firm’s Technology Transactions & Outsourcing...