DoD proposes CMMC 2.0 rule to enhance cybersecurity in defense industrial base, seeks comment


The U.S. Department of Defense (DoD) is proposing to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate contractual requirements related to the proposed Cybersecurity Maturity Model Certification (CMMC) 2.0 program rule, Cybersecurity Maturity Model Certification program. The proposed DFARS rule also partially implements a section of the National Defense Authorization Act for Fiscal Year 2020 that directs the Secretary of Defense to develop a consistent, comprehensive framework to enhance cybersecurity for the U.S. defense industrial base (DIB).

In a Federal Register notice published Thursday, the defense agency called for comments from interested stakeholders on the proposed rule should be submitted in writing on or before October 15, 2024, to be considered in the formation of a final rule. 

CMMC 2.0 provides a framework for assessing contractor implementation of cybersecurity requirements and enhancing the protection of unclassified information within the DoD supply chain. The proposed DFARS rule also partially directs the Secretary of Defense to develop a consistent, comprehensive framework to enhance cybersecurity for the U.S. defense industrial base no later than February 1, 2020.

In November 2021, a notice was published in the Federal Register to suspend the CMMC 1.0 pilot efforts. The purpose of suspending the CMMC 1.0 pilot efforts was to allow for the development of CMMC 2.0. On December 26, 2023, DoD published in the Federal Register a proposed CMMC 2.0 program rule, Cybersecurity Maturity Model Certification program, to propose the establishment of the CMMC 2.0 program requirements.

DoD is implementing a phased rollout of CMMC. Over three years, CMMC will be phased in based on the CMMC 2.0 program requirements. The DFARS clause on ‘Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirements,’ is prescribed for use in solicitations and contracts that require the contractor to have a specific CMMC level, including solicitations and contracts using Federal Acquisition Regulation (FAR) part 12 procedures for the acquisition of commercial products and commercial services, excluding acquisitions exclusively for commercially available off-the-shelf (COTS) items. 

In order to implement the phased rollout of CMMC, the inclusion of a CMMC requirement in a solicitation during this period will be determined by the program office or requiring activity after consulting the CMMC 2.0 requirements. 

During the phase-in period, when there is a requirement in the contract for CMMC, CMMC certification requirements must be flowed down to subcontractors at all tiers, when the subcontractor will process, store, or transmit federal contract information (FCI) or CUI, based on the sensitivity of the unclassified information flowed down to each of the subcontractors under the proposed CMMC 2.0 requirements.

After the phase-in period, CMMC will apply to all DoD solicitations and contracts, including those for the acquisition of commercial products or commercial services (except those exclusively for COTS items), valued at greater than the micro-purchase threshold that involve processing, storing, or transmitting FCI or CUI. 

When a CMMC level is included in the solicitation or contract, contracting officers will not make an award, exercise an option, or extend the period of performance on a contract, if the offeror or contractor does not have the results of current certification or self-assessment for the required CMMC level, and an affirmation of continuous compliance with the security requirements, in the Supplier Performance Risk System (SPRS) for all information systems that process, store, or transmit FCI or CUI during contract performance. 

Furthermore, CMMC certification requirements must be flowed down to subcontractors at all tiers when the subcontractor will process, store, or transmit FCI or CUI, based on the sensitivity of the unclassified information flowed down to each of the subcontractors under the proposed CMMC 2.0 requirements to be established. 

The DoD considered three alternatives for the timing of the requirement to achieve a CMMC 2.0 level certification in the development of this proposed rule, weighing the benefits and risks associated with requiring CMMC 2.0 level certification – at the time of proposal submission; at the time of award; or after contract award. DoD ultimately adopted the second alternative to require certification at the time of award. 

The drawback of the first alternative is the increased risk for offerors since they may not have sufficient time to achieve the required CMMC certification. The drawback of the third alternative is the increased risk to DoD concerning the schedule and uncertainty due to the possibility that the contractor may be unable to achieve the required CMMC level in a reasonable amount of time given their current cybersecurity posture. This potential delay would apply to the entire supply chain and prevent the appropriate flow of FCI and CUI to the contractor and subcontractors.

DoD intends to apply the provision and clause to contracts and subcontracts valued at or below the Simplified Acquisition Threshold (SAT),  but greater than the micro-purchase threshold, for the acquisition of commercial products excluding COTS items, and for the acquisition of commercial services.

The notice also assesses that for the first three years after the effective date of the final rule, the information collection requirements will only impact an offeror or contractor when the solicitation or contract requires an offeror or contractor to have a specific CMMC level, based on a phased rollout plan, including solicitations and contracts using Federal Acquisition Regulation (FAR) part 12 procedures for the acquisition of commercial products and commercial services, except for solicitations and contracts solely for the acquisition of COTS items.

By the fourth year, the information collection requirements in the solicitation provision and contract clause will impact solicitations and contracts, task orders, or delivery orders, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial products and commercial services, when there will be a requirement under the contract to process, store, or transmit FCI or CUI, except for solicitations and contracts solely for the acquisition of COTS items.

For each of the information systems that will process, store, or transmit FCI or CUI, DoD assumes it will take offerors and contractors an estimated five minutes to post the results of the CMMC self-assessments in SPRS; an estimated five minutes to complete the required affirmation in SPRS; and an estimated five minutes to retrieve DoD UIDs in SPRS for the information systems that will be used in performance of the contract and to submit the DoD UIDs to the government.

For the government, DoD assumes it will take an estimated five minutes to validate the existence of the correct level and currency of a CMMC certification or CMMC self-assessment results associated with offeror DoD UIDs in SPRS for the successful offeror before award and for the contractor before exercising an option or extending any period of performance. 

It also expected an estimated five minutes to validate the existence of an affirmation that is current for each of the contractor information systems that will process, store, or transmit FCI or CUI; and an estimated five minutes to validate the existence of the correct level and currency of a CMMC certification or CMMC self-assessment and affirmation associated with contractor DoD UIDs in SPRS, when there are changes in the information systems during contract performance.

The primary cost impact of this proposed rule is that successful offerors for contracts that include a CMMC requirement will now be required to conduct the cost activities. The benefits of the proposed rule include verification of a DIB contractor’s implementation of system security requirements. CMMC adds the element of verification of a DIB contractor’s cybersecurity through the use of accredited third-party assessors. 

The proposed rule provides increased assurance to DoD that a DIB contractor can adequately protect sensitive unclassified information such as CUI at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.

Another benefit of the proposed rule is that it supports the protection of intellectual property and sensitive information from malicious activity that has a significant impact on the U.S. economy and national security. While there is not enough information to be able to estimate the benefits of this rule at this time, DoD assumes there will be a benefit from reducing the threat of malicious cyber activity.

Comments