Proposed CMMC Rule Spells Out Liability Risks for Noncompliance

By Roger Abbott and Adam Bartolanzo

iStock illustration

The Defense Department on Dec. 26 published for public comment a proposed rule implementing the Cybersecurity Maturity Model Certification 2.0 program — more than two years after it scrapped the initial version of this highly publicized program.

Although the proposed rule does not deviate too significantly from guidance the department has already released, it formalizes implementation and provides contractors with additional information about the program.

However, this rulemaking is limited to Title 32 National Defense regulations; the actual contract clauses that will apply to defense contractors are still being developed under a separate rulemaking process.

Additionally, given the repeated delays in rolling out CMMC, it remains to be seen whether the department will be able to keep up with its aggressive timetable. Nonetheless, contractors should be mindful that the program largely enforces existing cybersecurity requirements and focus their efforts on fully complying with those requirements before the final rule takes effect.

According to the proposed rule, the purpose of the CMMC program is to “establish requirements for a comprehensive and scalable assessment mechanism to ensure defense contractors and subcontractors have … implemented required security measures,” which, for the most part, have already been in place for several years.

The proposed rule also establishes new cybersecurity requirements that apply to a select number of “priority” programs.

To this end, the proposed rule establishes a tiered framework, including the three levels defined by the Defense Department when it first announced CMMC 2.0 in November 2021 and developed in guidance documents that have been published in the interim. Each of these levels aligns with existing cybersecurity requirements. Level 1 is aligned with Federal Acquisition Regulation 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems,” which requires contractors that handle “Federal Contract Information” on their information systems to comply with 15 security requirements that are “elementary for any entity wishing to achieve basic cybersecurity.”

Although this contract clause technically applies only to contractors that handle such information, the proposed rule indicates that the department expects all defense contractors to comply with FAR 52.204-21.

Level 2 is aligned with Defense Federal Acquisition Regulation Supplement 252.204-7012, which applies to contractors that transmit, store or process Controlled Unclassified Information on their information systems. Those contractors must comply with 110 requirements from the National Institute of Standards and Technology Special Publication 800-171.

Finally, Level 3 incorporates 24 new security requirements from NIST SP 800-172, which will apply to a select number of “priority” programs. The proposed rule estimates that only 1,487 contractors will be subject to these new requirements.

The proposed rule enforces these security standards by establishing a scaled assessment mechanism. Assessments will be made conditions of contract award and must be submitted at the time of award for a contractor to be eligible. Level 1 assessments, which will apply to most defense contractors, must be conducted on an annual basis, whereas Level 2 and Level 3 assessments will need to be performed triennially for contractors to remain compliant.

Level 1 requires self-assessments by contractors to verify their compliance and submit their assessment scores to the department’s Supplier Performance Risk System before award and annually thereafter. Vague self-assessments, however, are out. The assessment guides — released concurrently with the proposed rule — define concrete self-assessment procedures companies need to satisfy, even if a formal System Security Plan is not required at Level 1.

Level 2 requires contractors to submit either a self-assessment or a certification assessment to be performed by a certified third-party assessment organization “as determined by DoD.”

It remains unclear how many Level 2 requirements will be “determined by DoD” to require self-assessments versus certification assessments.

The tables included with the proposed rule evaluating its impact estimate that about 95 percent of entities that will be required to certify at Level 2 will need to be certified by a third party. But how reliable an indicator is that? The Defense Department faces a huge backlog of third-party assessors seeking accreditation. Given its estimate that 76,598 companies will need such a third-party certification, it seems likely that many companies will not be able to obtain third-party certification within the three-year timetable for implementation specified in the proposed rule.

Level 3 requires a certification assessment by the Defense Industrial Base Cybersecurity Assessment Center. The center is also responsible for performing the Level 2 certification assessment of the accreditation body responsible for accrediting third-party assessors as well as performing Level 2 certification assessments of third-party assessors. As a result, contractors handling Level 3 information are likely not to be immune from expected delays due to the backlog of third-party assessors waiting for their accreditation to go through.

Under certain circumstances, the proposed rule permits contactors that are not yet fully compliant with existing requirements to submit a “Plan of Action and Milestones.” But contractors be warned: such a plan is not permitted for Level 1 self-assessments, and even at Levels 2 and 3, a minimum overall assessment score must be reached before a plan is allowed.

Nor can contractors rely upon a plan indefinitely, as the proposed rule requires it to be closed out within 180 days of the initial assessment.

And so, contractors handling Level 2 or 3 information that are not in full compliance at the time of contract award will need to act quickly to address their security gaps, lest they find themselves in breach.

The proposed rule also includes additional information about the use of external service providers, including cloud service providers. Contractors may use non-CMMC certified cloud service providers to handle Controlled Unclassified Information in a cloud environment, provided the environment satisfies at least FedRAMP Moderate or equivalent requirements.

However, other external service providers must hold a CMMC certification equal to or greater than that of the contractor. Given that the proposed rule will include a mandatory flow-down provision, the restrictions on the use of external service providers will present supply chain management challenges.

The significance of these challenges cannot be overstated because the proposed rule requires a “senior official” of each company subject to the CMMC program to annually affirm compliance. For Levels 2 and 3, affirmation is further required after every assessment, as well as at closeout of a plan of action and milestones. Every affirmation will carry with it a degree of risk under the False Claims Act, with that statute’s treble damages constantly hovering over every defense contractor subject to a CMMC assessment as a condition for award.

Will the Department of Justice treat CMMC affirmations as “material” to payments made on a contract subject to the program? Possibly, and certainly an enterprising whistleblower may think so.

Consequently, the requirement to flow down Defense Department cybersecurity provisions to subcontractors, and possibly suppliers, presents risk under the False Claims Act. To fully protect themselves, contractors may need to spend significant resources vetting and monitoring subcontractors and suppliers.

One can imagine the price premium subcontractors and suppliers would include in their quotes if that were the case. Some contractors may require prospective subcontractors to obtain third-party certification even if such independent certification is not, strictly speaking, required.
Liability can also arise under the False Claims Act even when the “senior official” holds a good faith — but incorrect — belief that their company is compliant. This is because liability — and treble damages — can attach if a company acts with “reckless disregard of the truth or falsity” of the matter asserted. Affirming a self-assessment by deliberately ignoring deficiencies in a company’s cybersecurity system certainly could land that company in hot water, so care must be taken each time an affirmation is made.

Obtaining a third-party certification of compliance may not necessarily provide a “safe harbor” because companies must continually remain compliant with the required cybersecurity standards. Companies that are subject to the DFARS cyber rule, then, should consider engaging a consultant to develop the System Security Plan they use to perform their NIST SP 800-171 self-assessment, even if it is unclear whether they will eventually be required to obtain a third-party certification.

Having a robust System Security Plan in place may not only help companies that require third-party certification do so expeditiously but could also reduce the risk of liability under the False Claims Act by demonstrating appropriate steps were taken to support a good faith belief in the accuracy of an affirmation of compliance.

CMMC 2.0 applies to virtually all defense contractors regardless of size; only companies whose military business is limited to supplying commercial off-the-shelf products and services or falls under the micro-purchase threshold are exempt.

The program is likely to have a disproportionate impact on small businesses, particularly those required to obtain third-party certification. The proposed rule estimates the cost per Level 2 certification assessment to be upward of $100,000 for small entities. Some companies may be able to minimize costs by limiting Controlled Unclassified Information to an isolated “enclave” within their information system. But companies with only a small number of defense contracts in their federal contracting portfolio may conclude that the cost of complying is not worth it.

Only time will tell what the full impact of CMMC 2.0 will be. Some questions about the program may be answered during the rulemaking process, with comments currently due Feb. 26. Others, however, likely will be answered only when the final rule takes effect.

To that end, the department has proposed an aggressive, four-phase rollout that will take place over a three-year period. Under Phase 1, requirements for Level 1 and Level 2 self-assessments will be included in solicitations and contracts immediately upon the effective date of the rule.

Phase 2 will follow six months later, when the Defense Department intends to include requirements for Level 2 certification assessments in solicitations and contracts, meaning contractors will only have half a year to prepare for third-party assessor certifications once the final rule takes effect.

Level 3 certification assessment requirements will start to be included during Phase 3, one year after the rule’s effective date. Phase 4, full implementation, will begin one calendar year after the start of Phase 3 and is expected to occur on or after Oct. 1, 2026.

Of course, past projections of CMMC’s rollout have been optimistic to say the least. Both iterations of the program have experienced significant delays. Nonetheless, contractors that handle Federal Contract Information and Controlled Unclassified Information should be mindful that they are already subject to cybersecurity requirements, and that now is always the best time to confirm their cybersecurity measures are up to code.

Otherwise, contractors may find themselves suffering the consequences of noncompliance, including the potential for those pesky treble damages hanging ever so delicately each time an affirmation of CMMC compliance is made. ND

Roger Abbott is a principal and Adam Bartolanzo is a counsel in the Government Contracts and White Collar Practice Group at Miles & Stockbridge P.C. They can be reached at: and

Disclaimer: This is for general information and is not intended to be and should not be taken as legal advice for any particular matter. It is not intended to and does not create any attorney-client relationship. The opinions and legal positions asserted in the article are those of the authors and do not necessarily reflect the opinions of Miles & Stockbridge firm.

Topics: Cyber

Comments (1)

Re: Proposed CMMC Rule Spells Out Liability Risks for Noncompliance

The latest draft proposed CMMC ruling is further proof the DoD CIO and entire staff need to be put under AT&L if not OSUD. Responsibility for NSS Cybersecurity should be under the DoD CTO, not CIO as for IS. And finally, time to take a giant pause on CMMC and get the authors to listen to the professional practioners on both the DoD AAF and Defense contractor side. CMMC is bloated byzantine bureaucracy, not cost effective and ignores the failures of certification and especially RMF. I have not seen in my 51 years in and out of uniform such a train wreck as CMMC has become. NIST standards are just that. We already have guidance for INFOSEC, Physical and facility security time-proven. We do not need a committee or collaborators who do not work for a living in our world of the AAF, a prime fact the DoD CIO staff seem to have forgotten or simply do not understand. Simpler means of protecting the data already exist from lessons gleaned from the banking and financial industries; and as in the USAF SSE Cyber Guidebook and the latest Federal Blockchain guidebook. Our taxpayer dollars need to be tempered with professional common sense and practical experience working within the acquisition domain once again.

Joseph D Yuna at 6:08 PM
Retype the CAPTCHA code from the image
Change the CAPTCHA codeSpeak the CAPTCHA code
Please enter the text displayed in the image.