Insights

Amidst a flurry of executive cost-cutting, the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification program—often known just as “CMMC”— appears to be defying the odds and only picking up steam. Marking the first CMMC developments under the new administration, the DoD has published guidance that previews what to expect once CMMC is finalized. These developments suggest that the current administration intends to pick up where it left off, having first introduced the CMMC program during President Trump’s first term.

On January 15, 2025, the FAR Council released a proposed rule (FAR CUI Rule) that would amend the FAR to implement federal government-wide Controlled Unclassified Information (CUI) cybersecurity, training, and incident reporting requirements for government contractors and subcontractors.  The rule’s key cybersecurity requirements closely mirror the Department of Defense’s Cyber Maturity Model Certification (CMMC) program (for example, compliance with National Institute of Standards and Technology Special Publication 800-171, Revision 2), but broaden the scope to include contractors and subcontractors working across all federal agencies.  The Rule is intended to standardize the handling of CUI by federal government contractors and subcontractors in accordance with Executive Order 13556, including by:

On October 11, 2024, the Department of Defense (DoD) released a final rule (the “Final Program Rule”) formalizing the requirements, assessment processes, and related governance for its Cyber Maturity Model Certification Program (CMMC).[1] 

On August 15, 2024, the Department of Defense (“DoD”) released the long-awaited proposed rule (“August 2024 Proposed Rule”), updating Defense Federal Acquisition Regulation Supplement (“DFARS”) Clause 252.204-7021 (the “7021 Clause”), which, when final, will initiate the phased implementation of Cybersecurity Maturity Model Certification 2.0 (“CMMC”) requirements into DoD contracts.  The Clause will require every defense contractor that handles Federal Contract Information (“FCI”) or Controlled Unclassified Information (“CUI”) to assess and certify compliance with select CMMC security requirements.  The August 2024 Proposed Rule introduces several distinct changes to the 7021 Clause published by DoD in January 2023, including:

On July 25, 2024 the Office of Management and Budget (OMB) issued Memorandum M-24-15, Modernizing the Federal Risk Authorization Management Program (FedRAMP) (the Memo).  The Memo proposes substantial updates to FedRAMP, replacing the December 2011 memorandum (2011 Memo) that established FedRAMP as the government-wide security and risk assessments program for cloud services providers (CSPs) supporting federal government operations.

On May 14, 2024, the National Institute of Standard and Technology (NIST) published the final versions of Special Publication (SP) 800-171 Revision 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations and its companion assessment guide, NIST SP 800-171A, Revision 3 (collectively, “Rev. 3 Final Version”).  While the Department of Defense (DoD) is not requiring contractors who handle Controlled Unclassified Information (CUI) to implement Rev. 3 for now, it is expected that DoD will eventually incorporate Rev. 3 into both DFARS 252.204-7012,  Safeguarding Covered Defense Information and Cyber Incident Reporting (DFARS 7012) as well as the forthcoming Cyber Maturity Model Certification (CMMC) program. 

On May 2, 2024, the Department of Defense (DoD) issued a class deviation to DFARS 252.204-7012,  Safeguarding Covered Defense Information and Cyber Incident Reporting (DFARS 7012), specifying that contractors subject to the clause must comply with NIST SP 800-171, Revision 2.  The deviation (labeled Deviation 2024-O0013) will delay the incorporation of NIST SP 800-171, Revision 3—which is set to be finalized in the next few weeks—into DFARS 7012.

On March 11, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of Management and Budget (OMB) published an updated Secure Software Development Attestation Form, meaning that producers of software and providers of products containing software used by the federal government may be required to submit their attestations in the very near future. The Attestation Form, first published in April 2023, is a key cog in CISA’s implementation of software supply chain security requirements in accordance with Executive Order 14028, Improving the Nation’s Cybersecurity and OMB Memoranda M-22-18 and M-23-16.

On December 26, 2023, the Department of Defense (DoD) released the highly anticipated proposed rule for the Cybersecurity Maturity Model Certification Program (CMMC), a cybersecurity regulatory program that will likely impact most of the government contractor community. Every contractor who handles sensitive data such as Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) during DoD contract performance will be covered by this regulation. While the CMMC program builds upon the security requirements included in Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, CMMC will bring greater scrutiny to contractors’ cybersecurity compliance and potentially greater consequences for failure to comply in the era of the Department of Justice’s Civil Cyber Fraud Initiative and False Claims Act litigation. If finalized as proposed, the rule will significantly impact the CMMC regime, notably by requiring senior company officials to complete an affirmation for every CMMC level self-assessed or certified, thus increasing legal compliance risks.

On November 9, 2023, the National Institute of Standards and Technology (“NIST”) released the Final Public Draft (“FPD”) of Special Publication (“SP”) 800-171 Revision (“Rev.”) 3, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” and the Initial Public Draft of NIST SP 800-171A Rev 3, “Assessing Security Requirements for Controlled Unclassified Information.”  The FPD of SP 800-171 Rev. 3 condenses several control requirements from the initial public draft while adding new requirements under existing controls.  The initial draft of SP 800-171A now aligns with SP 800-171 Rev. 3 and includes more detailed assessment procedures than its predecessor.  Changes in both documents forecast the evolving compliance requirements for organizations required to safeguard Controlled Unclassified Information (“CUI”).

In a June 30, 2023 decision by the Superior Court of California, County of Sacramento, the Court issued a ruling delaying agency enforcement of final regulations under the California Privacy Rights Act (CPRA) until March 2024. Calfornia Chamber of Commerce v. California Privacy Protection Act, Case No. 34-2023-80004106-CU-WM-GDS (Sacramento Superior Court, June 30, 2023).

On June 21, 2023, the Department of Homeland Security (DHS) issued a final rule amending the Homeland Security Acquisition Regulation (HSAR) by updating an existing clause (HSAR 3052.204-71) and adding two new contract clauses (HSAR 3052.204-72 and 3052.204-73) to address safeguarding of Controlled Unclassified Information (CUI).  The final rule is effective July 21, 2023.

On June 9, 2023, the Office of Management and Budget (OMB) released M-23-16, Update to Memorandum M-22-18, which alters key deadlines and clarifies how agencies and software developers can comply with M-22-18.  The original memorandum, published in September 2022, required all federal agencies and their software developers to comply with the National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF), NIST SP 800-218, and the NIST Software Supply Chain Security Guidance (collectively, NIST Guidance) whenever third-party software is used on government information systems or otherwise affects government information.

On May 10, 2023, the National Institute of Standards and Technology (NIST) released a draft of NIST Special Publication (SP) 800-171 Revision 3, containing new and revised cybersecurity controls that, when finalized, will be required for federal contractors handling Controlled Unclassified Information (CUI).

On April 28, 2023 the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) published its long-awaited draft Secure Software Development Self-Attestation Form.  The form is a key component of the mandatory software supply chain security requirements introduced by last fall in Office of Management and Budget (OMB) Memorandum M-22-18. The Form requires certain software developers to attest to specific security elements of their software development life cycle (SDLC) and their development environment. 

On March 22, 2022, the Department of Defense (DoD) issued a final rule requiring contracting officers to consider supplier risk assessments in DoD’s Supplier Performance Risk System (SPRS) when evaluating offers. SPRS is a DoD enterprise system that collects contractor quality and delivery performance data from a variety of systems to develop three risk assessments: item risk, price risk, and supplier risk. The final rule introduces a new solicitation provision, DFARS 252.204-7024, which instructs contracting officers to consider these assessments, if available, in the determination of contractor responsibility.

On March 2, 2023, the Biden Administration released the 35-page National Cybersecurity Strategy (the “Strategy”) with a goal “to secure the full benefits of a safe and secure digital ecosystem for all Americans.”

This has not been a joyful winter for energy industry executives. They have repeatedly awoken to alerts that substations in the Northwest and Southeast have been physically attacked and that a major engineering firm was the subject of a ransomware cyberattack that may have compromised utility data.

After much anticipation, the Cyber AB, formerly known as the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body, recently released its pre-decisional draft CMMC Assessment Process (CAP).  The CAP describes the overarching procedures and guidance that CMMC Third-Party Assessment Organizations (C3PAOs) will use to assess entities seeking CMMC certification.  The current version of the CAP applies to contractors requiring CMMC Level 2 certification, which will likely be most contractors handling Controlled Unclassified Information (CUI) based on the Department of Defense’s (DoD) provisional scoping guidance for CMMC 2.0.