An Un[waiver]ing Commitment to CMMC: The Department of Defense Issues Guidance for Determining Assessment Levels

Amidst a flurry of executive cost-cutting, the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification program—often known just as “CMMC”— appears to be defying the odds and only picking up steam. Marking the first CMMC developments under the new administration, the DoD has published guidance that previews what to expect once CMMC is finalized. These developments suggest that the current administration intends to pick up where it left off, having first introduced the CMMC program during President Trump’s first term.

This month, the DoD made public a memorandum titled “Implementing the Cybersecurity Maturity Model Certification (CMMC) Program: Guidance for Determining Appropriate CMMC Compliance Assessment Levels and Process for Waiving CMMC Assessment Requirements.” The memorandum emphasizes the DoD’s focus on reducing the risk of cyber attacks and reinforces contractors’ obligations to safeguard Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). While the final Defense Federal Acquisition Regulation Supplement (DFARS) rule, 2019-D041, has not been published yet, the memorandum reminds program managers and contractors of the CMMC assessment requirements, reiterating that program managers and requiring activities will designate CMMC levels for contracts based on the type of information that contractors will handle on their own networks during contract performance. Notably, the memorandum provides that non-Federal Acquisition Regulation (FAR) based grants and other legal agreements will also include CMMC requirements. 

In addition, the memorandum includes guidance on how requiring activities may determine the applicable CMMC Level and how program managers or requiring activities may request a waiver of CMMC requirements. 

As contractors prepare for the publication of the final DFARS rule, the memorandum provides new insight on what contractors should expect, including the following:

• The CUI Registry will determine whether self-assessments or third-party assessments are required for CMMC Level 2.
  • CMMC Level 2 self-assessments will be sufficient only when the contract will require the contractor to process, store, or transmit CUI that is outside of the National Archives CUI Registry Defense Organizational Index Group. However, a program manager may elevate the requirement to CMMC Level 2 certification “if there is high risk to the confidentiality, integrity, or availability of the CUI.”
  • CMMC Level 2 certifications will be necessary when the contract will require the contractor to process, store, or transmit CUI categories under the National Archives CUI Registry Defense Organizational Index Grouping.
• Contractors that process, store, or transmit CUI that is outside of the CUI Registry Defense Organizational Index Group may need to be prepared for an accelerated timeline.
  • As noted above, CMMC Level 2 self-assessment are only sufficient when the CUI is not one of the categories under the National Archives CUI Registry Defense Organizational Index Grouping. The Defense Organizational Index Grouping includes Controlled Technical Information; DoD Critical Infrastructure Security Information; Naval Nuclear Propulsion Information; Privileged Safety Information; and Unclassified Controlled Nuclear Information – Defense. Accordingly, contractors that handle information such as Protected Critical Infrastructure Information, North Atlantic Treaty Organization (NATO) Unclassified, or Personnel Records, should be prepared for the requirement of CMMC Level 2 self-assessments—which are expected to begin on the effective date of the final DFARS rule (CMMC Phase I).
• Program managers or requiring activities, not the contractor, may request to waive CMMC assessment requirements.
  • The program managers or requiring activities, not the contractor, may request Service Acquisition Executive (SAE) or Component Acquisition Executive (CAE) approval to waive a CMMC assessment requirement for either an individual procurement or a class of procurements.
  • Waivers do not affect the requirements set forth in FAR 52.204-21, DFARS 252.204-7012, or the more advanced cybersecurity standard NIST SP 800-172, when applicable. In other words, the waiver applies only to the assessment, not the cybersecurity requirements that may be applicable in the contract.
  • Waivers on a class basis must include a planned expiration date and guidance for requiring CMMC certification in subsequent solicitations.
• Waivers are not appropriate under certain circumstances.
  • Waivers are unlikely to apply to CMMC Level 1 or CMMC Level 2 self-assessments.
  • Waivers are not appropriate for contracts requiring performance by a cleared defense contractor.
  • For CMMC Level 3, waivers are not appropriate for contracts or work statements requiring access to both unclassified and classified DoD information.
• Waivers under CMMC Level 2 third-party assessments and CMMC Level 3 third-party assessments may be applicable in “rare circumstances.”
  • For example, waiver of a CMMC Level 2 third-party assessment could theoretically be appropriate when the requiring activity is seeking competition from non-traditional DoD sources.

Separately, Katie Arrington announced her recent appointment as the DoD’s Chief Information Security Officer (CISO). The name will immediately refresh the recollections of those following CMMC over the years. Ms. Arrington previously held a narrower CISO position within the DoD’s Office of Acquisition & Sustainment under the first Trump administration. In that role, she was a notably staunch advocate for the original “CMMC 1.0” program.

Since the start of the new administration, speculation has swirled around whether CMMC would be on the regulatory chopping block. Many contractors staring down expected compliance deadlines as early as this summer have anxiously awaited clarity. With these recent developments, the answer appears to be an emphatic “no.” The DoD is showing no signs of slowing down on CMMC.