August 21, 2024

US DoD Proposes Final Rule to Incorporate Contractual Requirements for the Cybersecurity Maturity Model Certification (CMMC)

Share

On August 15, 2024, the Department of Defense (DoD) published a proposed rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate contractual requirements related to the Cybersecurity Maturity Model Certification (CMMC) 2.0 program rule. The CMMC 2.0 program provides a framework for assessing contractor implementation of cybersecurity requirements and enhancing the protection of unclassified information within the DoD supply chain.

Comments on this proposed rule can be submitted within a 60-day comment period, which ends on October 15, 2024. 

Background

You may be asking: Hasn’t there already been a proposed final rule addressing the CMMC requirements? Yes; as we described in a previous Legal Update, DoD published a Proposed Final Rule for the implementation of the CMMC program on December 26, 2023.

Whereas that rule describes the specific implementation and security requirements of CMMC in Title 32 of the Code of Federal Regulations (CFR), the latest proposed rule sets forth the contract clauses necessary to implement the program in Title 48 of the CFR.1 In this regard, the latest proposed rule modifies the Federal Acquisition Regulation (FAR) and the DFARS. This latest proposed rule would make three changes of note:

  • Contractors would have to prove CMMC compliance at the level included in a given solicitation and maintain compliance throughout contract performance.
  • Agencies would have to provide notice to contractors of the CMMC level required by the solicitation for the procurement, and offerors will need to submit proof of compliance with the specified CMMC level.
  • Contractors would be required to notify contracting officers if a lapse in a CMMC level occurs and affects information security requirements during contract performance.

Proposed Changes in More Detail

Proof of CMMC Compliance

The proposed rule would require contractors to prove, as of the time of award, CMMC compliance at the level required when the CMMC level is specified in the solicitation. The rule would also require contracting officers to verify in the Supplier Performance Risk System (SPRS) that the results of CMMC compliance are posted in SPRS for each DoD unique identifier (DoD UID) and that an apparently successful offeror has affirmed continuous compliance with the security requirements in 32 CFR Part 170. In addition, the proposed rule adds definitions for Controlled Unclassified Information (CUI) and DoD UID to DFARS 252.204.7501 (definitions at 88 FR 66336).

DFARS 252.204-7YYY

The proposed rule also introduces a new DFARS provision, 252.204-7YYY, Notice of Cybersecurity Maturity Model Certification Level Requirements. This provision requires notice to contractors of the CMMC level required by the solicitation and of the proof of compliance required to be submitted in SPRS.

The provision requires:

  • Offerors to post CMMC Level 1 and 2 self-assessments in SPRS
  • Third-party assessment organizations to post Level 2 certificate assessments in SPRS
  • The DoD assessor to post the Level 3 certificate in SPRS

The proposed rule adds a prescription in DFARS 204.7504 barring apparently successful offerors who do not have the results of CMMC compliance posted in SPRS and who do not affirm continuous compliance with security requirements from contract award.

Lapses in CMMC Level and Other Provisions

The proposed rule amends the CMMC requirements set forth in DFARS 252.204-7021 to add a requirement that contractor information systems that process, store, or transmit Federal Contract Information (FCI) or CUI during contract performance must meet a CMMC certification level as required in the contract. Additionally, contractors would be required to notify the contracting officer if they are unable to maintain the required CMMC certification level necessary to satisfy the relevant information security requirement during contract performance.  

This revised DFARS clause would also require contractors to have a senior company official affirm (on an annual basis) continuous compliance with applicable CMMC requirements. 

Finally, the proposed rule states that the clause applies to solicitations, contracts, task orders, or delivery orders that require a contractor to maintain a specific CMMC level, including those for the acquisition of commercial services and products, excluding commercially available off-the-shelf (COTS) items.

Implementation Details

The proposed rule would follow the phased roll-out process described in prior CMMC 2.0 rulemaking actions. During the three-year phase-in period, the requirements would only apply when the solicitation or contract requires a specific CMMC level. After this period, the requirements would apply to all contracts for which the contractor processes, transmits, or stores FCI or CUI during contract performance.

Conclusion

Comments regarding this proposed rule are due on October 15, 2024, and the rule could be finalized as soon as SPRING 2025. Once the rule is finalized, the three-year phase-in period would begin on the effective date of the final rule, and, in year four, the requirements would apply to all contracts for which the contractor processes, transmits, or stores FCI or CUI during contract performance.

 


 

1 This latest proposed rule also addresses the public comments to the Interim Rule under DFARS Case No. 2019-D41, which was published on September 29, 2020.

 

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.
Subscribe