The Department of Defense (“DoD”) has released a draft of its proposed Cybersecurity Maturity Model Certification (“CMMC”) Program rule just in time for the holidays. The rule—which is scheduled to be published December 26, 2023—is over 200 pages, and we will publish follow-up articles as we have time to analyze the new requirements. At a high level, here is what DoD has proposed:

• Tiered Model: CMMC requires companies entrusted with national security information to implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. Those levels range from CMMC Level 1 (the most basic level) to CMMC Level 3 (the most advance level).
• Assessment Requirement: CMMC requires certain contractors at CMMC Levels 2 and 3 to undergo third-party assessments, which allows DoD to verify the implementation of the CMMC cybersecurity standards.
• Implementation through Contracts: Once CMMC is fully implemented, certain DoD contractors handling sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.

As expected, the new CMMC rule will require contractors (including subcontractors) to meet one of three CMMC Levels based on the type of information they will receive under the DoD contract:

• CMMC Level 1: Contractors must implement the 15 security requirements currently required by FAR 52.204-21. Contractors must verify compliance with these security requirements by performing an annual self-assessment and uploading the results to the Supplier Performance Risk System (“SPRS”). In addition, a contractor “senior official” will be required to annually affirm continuing compliance with the security requirements through SPRS.
• CMMC Level 2: In addition to the CMMC Level 1 requirements, contractors must implement the 110 security requirements set out under NIST SP 800-171 Rev 2—these are the same requirements contractors must currently meet under DFARS 252.204-7012. Depending on the contract, contractors will either need to perform a self-assessment or undergo a third-party assessment verifying compliance with these security requirements. Contractors will submit their self-assessment results through SPRS. Third-party assessors will submit their assessment results into the CMMC Enterprise Missions Assurance Support Service (“eMASS”). Contractors can develop Plans of Action and Milestones for security requirements that they do not yet meet, but those plans must be closed out within 180 days of the assessment. Like with CMMC Level 1, a senior official is required to affirm compliance with the security requirements after every assessment through SPRS.
• CMMC Level 3: In addition to the CMMC Level 1 and 2 requirements, contractors must implement 24 selected security requirements from NIST SP 800-172. DoD will conduct all CMMC Level 3 assessments. The DoD assessor will submit the assessment results into eMASS and a contractor senior official is required to affirm continuing compliance with the security requirements through SPRS.

Once the proposed rule is published next week, interested parties will have 60 days to submit comments. Based on the complexity of the rule and the significant feedback DoD is likely to receive, we expect DoD to take a year, or even longer, to publish the final rule.