The Department of Defense (DoD) released the highly anticipated proposed rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS), to incorporate Cybersecurity Maturity Model Certification (CMMC) 2.0 contracting rules on August 15, 2024, marking a significant step toward enhancing cybersecurity across the Defense Industrial Base (DIB).
With CMMC 2.0, the DoD aims to simplify and streamline cybersecurity compliance while reinforcing the safeguarding of sensitive information within its contractor network.
Learn more about the CMMC’s history, the ruling’s key provisions, and how the proposed changes will impact government contractors’ cybersecurity compliance requirements.
The original CMMC program was announced in 2019 in response to growing concerns over cybersecurity risks within the DIB. When draft requirements were published in 2020, CMMC 1.0 required DoD contractors and subcontractors to meet varying levels of cybersecurity maturity, depending on the nature of their work and the sensitivity of the data they handled. However, the complexities and costs associated with compliance under the initial version led to feedback from industry stakeholders, prompting the DoD to overhaul the program.
CMMC 2.0 was introduced in late 2021 as a more flexible and cost-effective approach to cybersecurity compliance. The primary goals of CMMC 2.0 were to reduce the administrative burden on contractors while still ensuring the security of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
The latest proposed rule, published on August 15, 2024, builds on the December 2023 guidance, providing additional clarity on how the program will be administered and outlining the necessary contractual obligations.
The proposed rule introduces several critical updates to the CMMC framework and formalizes many aspects of the CMMC 2.0 program. One of the most significant changes involves the contracting process. Under this proposed rule, contract solicitations will include the CMMC level required for the contract. Previously, officials had considered CMMC certification documents as part of contract proposals, and others had considered requiring certification after contract award. So not only will the contract specify the compliance level required, but contractors will also be required to submit CMMC certification documents at the time of award. Meaning, contractors will need to be compliant before the award is granted.
Contractors must upload the results of these self-assessments and certifications to the Supplier Performance Risk System (SPRS), a DoD system used to track contractor cybersecurity compliance.
The new proposed rule also mandates that apparently successful offerors and contractors must have up-to-date certifications or self-assessments on file in SPRS before the award of any new contract, the exercise of an option, or the extension of a contract’s performance period. Contracting officers will be responsible for verifying these certifications before finalizing awards.
Another notable provision is the requirement for contractors to flow down CMMC requirements to subcontractors at all tiers. This flow-down obligation means that any subcontractor handling FCI or CUI must also achieve the appropriate CMMC certification level. This aspect of the proposed rule aims to ensure the security of the entire supply chain, from prime contractors down to the smallest subcontractors.
The proposed rule also introduces a new concept: DoD Unique Identifiers (UIDs). These identifiers will be assigned to each contractor’s information system undergoing certification or self-assessment and will be used to track compliance within the SPRS.
Contractors will be required to provide their DoD UIDs upon request from a contracting officer for any system processing FCI or CUI during contract performance. This addition aims to improve the DoD’s ability to monitor and verify the security of contractor systems more efficiently.
One of the more contentious aspects of the new proposed rule is the requirement to notify contracting officers of any lapses in information security or changes in CMMC certification status within 72 hours. While transparency is crucial to maintaining trust and security, this provision could place a heavy burden on contractors.
For instance, defining what constitutes a lapse in security remains unclear, leaving contractors in a challenging position when determining whether a reportable event has occurred. Moreover, contractors handling multiple contracts may find themselves obligated to submit multiple reports for a single incident, complicating the reporting process.
This new reporting requirement could lead to operational inefficiencies, as contractors may be compelled to report security issues before having a chance to fully assess and mitigate them internally. This provision could also expose contractors to heightened scrutiny from the DoD and other regulatory bodies, adding an additional layer of complexity to the already challenging compliance landscape.
The phased rollout of CMMC 2.0 will begin after the proposed rule is finalized, but contractors should start preparing now. The comment period for the proposed rule closes on October 15, 2024, and the final rule is expected to be published shortly thereafter. Contractors should closely monitor developments and consider submitting comments if they have concerns about the new requirements.
In the meantime, contractors should focus on reviewing their current cybersecurity practices and determining whether they meet the new CMMC 2.0 requirements. Achieving the appropriate certification level, particularly for Level 3 contractors who require third-party assessments, could take time, so early preparation is essential. Additionally, contractors should assess their supply chains and ensure that their subcontractors are aware of and preparing for CMMC 2.0 compliance as well.
The DoD’s August 2024 proposed rule signifies that the implementation of CMMC 2.0 is imminent. As the cybersecurity threats facing the DIB continue to evolve, the CMMC framework provides a critical tool for contractors to protect sensitive information and maintain compliance with federal regulations. By staying ahead of these requirements and preparing now, contractors can position themselves for success in this new era of cybersecurity compliance.
To learn more about CMMC 2.0, its potential impact to your business, and how to prepare for its implementation, contact your Moss Adams professional.