How Will DoW Determine Which Level of CMMC Applies to My Agreement?
Now that the final Cybersecurity Maturity Model Certification (CMMC) Program and Procurement Rules have been issued by the Department of War (DoW) (see our CMMC Toolkit for in-depth analysis of these Rules) and the CMMC Program is set to begin in earnest, there is some uncertainty in industry as to how DoW will determine which level of CMMC should apply to a particular procurement, as well as when and how waivers will apply to CMMC requirements. The Procurement Rule is clear that the determination as to the particular level of CMMC that will apply to a procurement is a determination that will initially be made by the program teams and not by the contracting officer. This suggests that the determinations will be made early in the procurement cycle.
On January 15, 2025, just before President Trump took office, the Department issued a Memorandum that provides insight into how these decisions should be made, including criteria for when a waiver may be appropriate. The “DoD Procurement Toolbox” website still includes this Memorandum and provides that when a requirement is expected to result in award of a non-Federal Acquisition Regulation (FAR) based grant or other legal agreement, program managers and requiring activities are expected to follow the CMMC Level Determination Guide to select an appropriate CMMC level requirement.
Based on the Memorandum, the intent was for DoW to require CMMC requirements in all its agreements even if the Revolutionary FAR Overhaul provides significantly more discretion to contracting officers when selecting contract types, and other transaction agreements (OTAs) are not subject to the FAR or Defense Federal Acquisition Regulation Supplement (DFARS). It is unclear whether the current DoW leadership will still require DoW program offices to impose CMMC requirements on non-FAR/DFARS based agreements in light of the Trump Administration’s policies regarding innovation and DoW’s acquisition overhaul and acceleration initiatives. But, we would expect program offices to impose some level of cybersecurity controls in OTAs and other non-FAR/DFARS based agreements, and the CMMC requirements (i.e. NIST SP 800-171) provide a well-established source of such controls that program teams may use for these procurements. Thus, the decision as to which, if any, CMMC levels should apply in non-FAR/DFARS based agreements may be determined on a program-by-program basis depending upon the risks associated with a particular program. Further insight on DoW’s approach may be forthcoming from Secretary Hegseth in his briefing with top executives from across the defense industry scheduled for November 7, 2025.
Assuming that it remains in force, the CMMC Level Determination Guide attached to the Memorandum is consistent with 32 C.F.R § 170.3’s requirement for imposing CMMC over a phased process during the next three years. Notably, the relevant determination as to when Level 2 requirements should apply is whether the contractor will store, process, or transmit Controlled Unclassified Information (CUI) in performance of the contract. Thus, although the regulations provide the program offices with flexibility to determine the appropriate CMMC level during the CMMC phase in period, as a practical matter, determinations will be made consistent with the considerations that are set forth in the program regulations. Attachment 2 to the Memorandum addresses CMMC waiver procedures. Under this guidance, all CMMC waiver requests must be coordinated through the component Chief Information Officer (CIO) prior to Service Acquisition Executive (SAE) or Component Acquisition Executive (CAE) approval. For programs under Defense Acquisition Executive (DAE) oversight, program managers are required to coordinate waiver requests through the component CIO, Program Executive Officer, CAE or SAE, and the Office of the DoW CIO.
As drafted, however, a waiver of CMMC requirements will not relieve contractors of requirements to comply with FAR 52.204-21 or DFARS 252.204-7012, though DFARS 252.204-7012 has a more lenient allowance for plans of action and milestones than CMMC. Nonetheless, waivers are likely to receive significant scrutiny within DoW, which may limit them significantly. Under the Memorandum, all waivers must be reported to the Under Secretary of Defense for Acquisition and Sustainment, the Under Secretary of Defense for Intelligence and Security, the Under Secretary of Defense for Research and Development, and the Office of the DoW CIO on a quarterly basis. The quarterly report will specify the contracts awarded with CMMC assessment requirements waived, and will identify common Product Service Codes or other relevant information that may explain market circumstances necessitating such assessment waivers.
Ultimately, although there is flexibility afforded in the regulations, DoW’s current guidance would mean that contractors should not expect much leniency from DoW once CMMC goes into effect on November 10.