CMMC Final Rule Includes M&A Trigger for New Assessment

As Crowell covered in a recent alert, the Department of Defense (DoD) on October 11, 2024 released a final rule (the “Final Program Rule”) formalizing the requirements, assessment processes, and related governance for its Cyber Maturity Model Certification Program (CMMC).

One aspect of CMMC that may have gotten lost in the shuffle of the Final Program Rule’s 470 pages is that when a contractor undergoes a merger or acquisition (M&A), the transaction may trigger a requirement for a new CMMC assessment.  As the groundwork for this requirement, the Final Program Rule states that “CMMC Level 2 self-assessment, Level 2 certification assessment, and Level 3 certification assessment are valid for a defined CMMC Assessment Scope.”  CMMC Assessment Scope means the set of all assets in the Organization Seeking Assessment’s (i.e., the contractor’s) environment that will be assessed against CMMC security requirements.  Under CMMC, in-scope assets will not only consist of IT infrastructure, but may also include personnel, service providers (e.g., managed service providers and managed security service providers), and other non-technical resources involved in handling or securing Controlled Unclassified Information (CUI). 

DoD stated in response to an industry comment attached to the Final Program Rule that where there is a significant change to the relevant assets defining the Assessment Scope, i.e., “if significant architectural or boundary changes are made to the previous Assessment Scope,” this requires a new CMMC assessment.[1]  Among the examples cited by DoD in its response of such a change in Assessment Scope are “expansions of networks or mergers and acquisitions.”  This means that in the event of M&A activity that results in significant architectural or boundary changes to the contractor’s previous Assessment Scope, the contractor may need to undergo a new CMMC assessment if it holds either Level 2 or Level 3 certification.  Such changes would generally be more likely in an asset sale than a stock purchase, but the rule does not make any explicit distinction based on the type of transaction. 

The Final Program Rule does not establish a specific deadline for completion of a new assessment if one is triggered.  Notably, however, the proposed rule that will update DFARS 252.204-7021, regarding CMMC implementation for contractors, lays out a requirement that contractors “[n]otify the Contracting Officer within 72 hours when there are any lapses in information security or changes in the status of CMMC certificate or CMMC self-assessment levels during performance of the contract.”  While it is unclear what the final rule for revisions to -7021 (anticipated in early or mid-2025) will include, a valid CMMC assessment will be required in connection with covered DoD contract awards, which could present timing challenges and require close coordination as between M&A activity and pending proposals and contract awards, as well as to ensure that the contractor does not have any CMMC compliance issues on its ongoing contracts. 

Key Takeaways

CMMC is already a hot topic within government contracts M&A diligence.  Buyers are inquiring about the Level of certification that acquisition targets plan to attain and what preparations those target contractors are undertaking.  Once CMMC implementation for contractors is finalized, likely next year, buyers and sellers engaged in the M&A process will also need to consider whether the transaction, and in particular post-closing integration plans, will impact the contractor’s Assessment Scope.  If it does, the implications and considerations include:

• whether the target contractor will maintain its existing IT infrastructure, modify it, or be subsumed within its acquirer’s (and the CMMC impact of each);
• the cost of a new assessment (and which party to the transaction should bear it); and
• the DoD requirements for the timing of the new assessment and its impact on current contract compliance as well as on new or pending proposals.

Crowell will continue to monitor as DoD is likely to elaborate on the specifics and timing of this requirement in the coming months.

 

[1] Curiously, one section of the DoD commentary states that a new assessment “is required” in such a situation, while in another the Rule says that a new assessment “may be required.”