C3PAO  itself  will  submit  the necessary results  to  the  CMMC Enterprise  Mission  Assurance Support
            Service (eMASS), which will, in turn, transmit the results to SPRS. The proposed rule includes an appeal
            process to resolve any disagreements over the Certification Assessment. Like Level 1, Level 2 similarly
            requires  contractors  to  submit  an  initial  affirmation  of  compliance  and  annually  affirm  its  continued
            compliance thereafter.



            CMMC Level 3


            CMMC Level 3 is unlike the two prior Levels. First, it imposes several security requirements in addition
            to those under existing regulations. Second, the certification assessments are completed by the Defense
            Contract  Management  Agency  (DCMA)  Defense  Industrial  Base  Cybersecurity  Assessment  Center
            (DIBAC). Before scheduling an assessment with the DIBAC, contractors must obtain a CMMC Level 2
            certification, making it a prerequisite. Like the prior level, contractors must submit an initial compliance
            affirmation  to  SPRS,  a  POA&M  closeout  affirmation  if  applicable,  and  an  affirmation  of  continued
            compliance annually thereafter.




            Rollout

            The CMMC requirements will be implemented through four phases.

               •  Phase 1 (upon the effective date of the final rule): Will require COs to incorporate CMMC Level
                   1 Self-Assessment or Level 2 Self-Assessment requirements in contracts and make the award of
                   specific contracts contingent on compliance. DoD has the discretion, under the proposed rule, to
                   require contractors to submit a CMMC Level 2 Certification Assessment instead of Level 2 Self-
                   Assessment for certain solicitations and contracts.
               •  Phase  2  (six  months  after  the  start  of  Phase  1):  Will  begin  the  formal  rollout  of  Level  2
                   Certification Assessments by adding the requirement to all applicable solicitations and contracts.
                   Under  the  proposed  rule,  the  DoD  has  the  discretion  to  include  CMMC  Level  3  Certification
                   Assessment requirements in certain solicitations and contracts.
               •  Phase 3 (one year after Phase 2 begins): Will begin the implementation of the CMMC Level 3
                   Certification Assessment requirements for applicable contracts.
               •  Phase 4 (one year after Phase 3 begins): Will include CMMC requirements to all applicable
                   solicitations and contracts. This includes option periods for awards made prior to Phase 4.

            The final rollout will likely be sometime in 2027.

            Consequences of Noncompliance with the CMMC Process

            A  major  component  of  the  proposed  rule  is  the  affirmation  process,  where  contractors  must  affirm
            compliance initially as well as annually thereafter. These mandatory certifications present the risk of
            potential False Claims Act (FCA) liability for willful, or even reckless, inaccurate certifications. The FCA
            imposes liability on a government contractor who “knowingly presents, or causes to be presented, a false
            or fraudulent claim for payment or approval [or] knowingly makes, uses, or causes to be made or used,





            Cyber Defense eMagazine – March 2024 Edition                                                                                                                                                                                                          139
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.