If you’ve been following the CMMC journey since 2019, you’ll see that we’re one inch closer to seeing Cybersecurity Maturity Model Certification (CMMC) 2.0 requirements in defense contracts. If you haven’t, no worries, we’ll fill you in on what you need to know. Recently, the Department of Defense (DoD) released a draft rule that would implement CMMC into the acquisition process for defense contracts. Let’s talk about what this means for the future of CMMC and what the next steps are.
Cybersecurity Maturity Model Certification, or CMMC, was created to have a more controlled way to ensure contractors are meeting National Institute of Standards and Technology (NIST) guidelines and other cybersecurity requirements. If you’re a contractor in the Defense Industrial Base (DIB) and deal with Federal Contract Information (FCI) and/or Controlled Unclassified Information (CUI), then the CMMC program applies to you.
This proposed rule outlines how the Defense Acquisition Regulations Supplement (DFARS) will be amended to implement CMMC. If published, this rule would specify the level CMMC certification needed to be successful in future solicitations, contracts, delivery orders, etc., and dictate procedures around CMMC status and compliance. Below we’ll cover some key features of this proposed rule.
This rule dictates that contractors must have a current CMMC certificate or self-assessment at the appropriate CMMC level defined or higher at the time of award. This level must be maintained throughout the duration of the contract. This may provide contractors with more flexibility if they do not quite have the certification or self-assessment at the time of the bid but can complete it by award.
If you have any changes to the status of your CMMC certificate or self-assessment levels, you must notify the Contracting Officer (CO) within 72 hours.
Contractors must enter and maintain their CMMC compliance status into the DoD’s Supplier Performance Risk System (SPRS). This needs to be completed annually or whenever your security posture changes. DoD also plans to add a requirement to DFARS ensuring Contracting Officers verify CMMC certificate status in SPRS.
CMMC levels will be determined by the level of FCI and CUI a contractor will process, store, or transmit during the contract. It’s important to note that contracts only dealing with Commercial-Off-the-Shelf (COTS) products will be excluded from CMMC compliance requirements.
If you plan to use subcontractors on a contract who will also process, store, or transmit FCI or CUI, they must also hold the appropriate CMMC certification level.
This proposed rule adds a definition of CUI so there is more clarity on when CMMC applies. The definition, as used in the DFARS, reads:
Controlled unclassified information means information the Government creates or possesses, or an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls.
Comments on this proposed rule are due by October 15, 2024. You can submit them to the osd.dfars@mail.mil email and be sure to include “DFARS Case 2019-D041” in the subject line. Since we don’t know exactly when this proposed rule and other proposed rules related to CMMC will be finalized, we don’t have a specific timeline, but we have some general information on DoD’s plan for CMMC implementation.
The DoD plans to have a phased roll-out of CMMC over a period of three years once the rule establishing CMMC program in general is finalized and published. DoD hopes the three-year time period will mitigate any issues small businesses may have obtaining certification or self-assessment levels necessary to complete contracts.
As mentioned above, we don’t know when CMMC will be formally implemented into defense contracts and beyond, but each proposed rule brings us a little closer. It’s important to use this time to prepare your company for these requirements and get organized.
To learn more about prepping for the final rule and what to look out for in the proposed rule content, check out our blog, “Preparing for the Final CMMC Rule.” To stay updated on future CMMC rule changes or other government requirements, subscribe to our blog and monthly newsletter. If you need help figuring out how to meet these requirements, or you need help prepping your GSA Schedule for future solicitations, we can help.