In October, the Cybersecurity Maturity Model Certification final program rule was published by the Defense Department. The CMMC outlines security controls that federal contractors must have in place to protect federal contracting information (FCI) and controlled unclassified information (CUI). Across my LinkedIn feed, federal contractors are expressing concern about the pressure that they feel as they strive for compliance with the directives. Implementing the CMMC can be time-consuming and expensive for companies, and there are only a few organizations authorized to conduct the third-party audit required for CMMC Level 2 certification. While the CMMC requirements will start making their appearance in some solicitations and contracts earlier (and must be met before award in those cases), the program provides for a phase-in period of three years before the CMMC certification is a requirement for all new contracts and solicitations. The phase-in may lead to sighs of relief from some. But while the phase-in period is helpful, federal contractors that scale back on efforts to implement the program during that time misunderstand the purpose of the CMMC.
The Federal Acquisition Regulation (FAR) outlines the rules that the federal government and contracted organization must follow when establishing contracts. The FAR is large and covers a wide array of requirements for all departments in the federal government. The DoD also has the Defense Federal Acquisition Regulation Supplement (DFARS) that expands on the FAR. Both regulations include sections and subsections governing the protection of FCI and CUI, as well as reporting requirements in the event of a data breach. Contracts established by the federal government will include language stating that compliance with the FAR and DFARS is required. By signing the contract, the contracted organization is stating that it is compliant with the FAR and DFARS rules. When the DoD inspector general discovered that there was no systemic mechanism in place to verify, beyond self-attestation, that federal contractors were following the information protection rules set forth in the FAR and DFARS, the Office of the Under Secretary of Defense for Acquisition and Sustainment conceived the CMMC.
All of that is to say this: The CMMC is a framework to verify compliance with existing FAR and DFARS provisions, not the requirement in and of itself. It is critical to understand that the phase-in period for the CMMC does not relieve federal contracting organizations of compliance with the information protection rules that are already in the FAR and the DFARS. The final rule explicitly states in Section 170.5, “… the CMMC Program does not alter the requirements imposed on contractors and subcontractors in FAR clause 52.204-21, DFARS clause 252.204-7021, or any other applicable safeguarding of information requirement. The CMMC Program verifies implementation of security requirements … as applicable.” But those existing clauses themselves already require the exact same practices that the CMMC will ensure Level 1 and Level 2-certified entities are following. Further, under the “Discussion of Public Comments,” the Final Rule outlines that FAR clause 52.204-21 was effective in 2016, and DFARS clause 252-204-7012 was effective in 2017, providing over seven years for contractors to implement requirements.
This is critical to understand for two reasons. First, a federal contractor is subject to FAR and DFARS rules from the date the contract is signed, and in the event of breach, is also subject to liability if the data was not sufficiently protected and/or the breach was not appropriately reported. While the CMMC phase-in period provides time for federal contracting organizations to secure the level of certification they seek to be eligible for DoD contracts, it does not provide a grace period to be compliant with data protection. Second, the CMMC as implemented today is only applicable to the DoD whereas the FAR is applicable across all departments of the federal government. If you are a federal contractor working with the Department of Energy, Interior, Agriculture, etc., your organization is still required to implement data protection for FCI and CUI even though you are not subject to the CMMC. As cybersecurity continues to gain attention, it is highly likely that the CMMC, or variations of it, will stand up in other departments outside of the DoD.
Data breach is damaging not only to national security, but also to the efficient and effective functioning of the federal government. The 2023 National Cybersecurity Strategy recognizes this and states, “Cybersecurity is essential to the basic functioning of our economy, the operation of our infrastructure, the strength of our democracy and democratic institutions, the privacy of our data and communications, and our national defense. … This strategy recognizes that robust collaboration, particularly between the public and private sectors, is essential to securing cyberspace.” Due to the importance of cybersecurity, there is more emphasis on holding accountable those organizations within the Defense Industrial Base (DIB) that fail to protect sensitive information, and the federal government is leveraging the False Claims Act (FCA) to that end. In September 2023, Verizon was found in violation of the FCA and suffered a $4.1 million penalty. Less than a year later, in August 2024, the government filed suit against the Georgia Institute of Technology for alleged cybersecurity violations. One attorney, Alexander Gorelik of Taft Stettinius & Hollister LLP notes, that “all of the lawsuits, to date, confirm that even failure to comply with standards of cybersecurity in the FAR, DFARS, and the contract alone, rather than the CMMC, can lead to significant penalties.” He adds that “even settlements in such cases are often quite costly for contractors that find themselves having to address lawsuits and investigations of their cybersecurity compliance.”
Federal contracting organizations must ensure that they understand what the CMMC is and is not, take all appropriate measures to protect the sensitive information entrusted by the federal government, and report accurate compliance and potential breach under the FAR and DFARS. The National Institute of Standards and Technology Special Publications 800-171 and 172 form the basis of these regulations and serve as the foundational guidance for all federal government departments. If your contracting organization is not already familiar with them, it is suggested that you become familiar as they provide significant guidance on how to implement data protection measures. The Defense Acquisition University (DAU) also provides courses on the CMMC, its purpose and implementation.
Do not misunderstand the CMMC, as a misunderstanding here impacts not only the protection of federal sensitive information, but also the contracting organization’s liabilities under the contract. Data protection is already required of federal contractors under the FAR and DFARS. The CMMC simply provides the DoD a means to validate compliance with these rules.
I would like to thank Mr. Alexander Gorelik of Taft Stettinius & Hollister LLP for his thoughtful review and suggestions that helped shape this commentary.
Shaun Rieth is a 22-year retired Air Force cyber operator who returned to serve as a federal contractor under METI, Inc, currently supporting the 557th Weather Wing on Offutt Air Force Base in Nebraska, as a senior cybersecurity analyst in the Defensive Cyber Operations flight. He possesses a BS in IT Operations Management, an MBA, CCISO, CISSP, and CCSP certifications.
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
