CMMC – DoD Releases Draft Contracting Rule to Enforce Contractor Cybersecurity Requirements

The Department of Defense (DoD) recently released a proposed acquisition rule that will insert their Cybersecurity Maturity Model Certification (CMMC) program requirements into the DoD contracting process. The latest rule is the second of two expected proposals to amend the Defense Acquisition Regulations Supplement (DFARS) rules to implement the CMMC program.

CMMC Contractor Requirements

The new proposed rule would revise the language that will be included in future solicitations, contracts, delivery orders, etc. that will specify the level of CMMC certification that contractors will need to hold to be awarded the contract.

Key details include:

• Continuous Compliance Reporting – Contractors will be required to enter and maintain their CMMC compliance information into the DoD’s Supplier Performance Risk System (SPRS), affirming it on an annual basis or updating it when their security posture changes, thus affirming their continuous compliance with CMMC.
• Tiered Certification Levels – CMMC levels required for contract award will be driven by the level of federal contract information (FCI) and Controlled Unclassified Information (CUI) which a contractor will process, store, or transmit under the contract.
  • Contracts exclusively for Commercial of the shelf (COTS) items are excluded from CMMC requirements.
  • Certifications may be obtained through a self-assessment for the lowest levels of concern (e.g., FCI) or through approved third-party assessments for more sensitive information, i.e., CUI.
• CUI Defined – This proposed rule includes definitions for Controlled Unclassified Information (CUI), which is the sensitive information that DoD is trying to protect and the driving factor behind the creation of CMMC.
• Flow-down of Requirements – Prime contractors must flow down the specific CMMC certification contract requirements to subcontractors when the subcontractor will process, store, or transmit FCI or CUI.
• Certification Level Expectations – DoD estimates that 35% of the roughly 30K companies that comprise the defense industrial base (DIB) will require CMMC Level 2 third-party certification. The remaining 65% will be able to meet CMMC through self-assessments.
• Public Comment – The latest proposed rule is open for sixty days of public comment, which will end Tuesday, October 15, 2024.

CMMC Implementation Timeframe

This latest proposed rule addresses the specific acquisition and contracting details, which complement the proposed CMMC program structure rule that the Pentagon published last December. The DoD and Office of Management and Budget (OMB) recently completed their review of that rule and so industry is anticipating its release in final form sometime later this year or in early 2025.

Other key implementation details in this most recently proposed rule include:

• Three-year Phased Implementation – DoD plans a phased roll-out of CMMC over three years, once the previous rule establishing CMMC program is finalized.
• Mitigating Industry Impacts – The rule states, “the phased roll-out of CMMC over three years is intended to mitigate the impact of CMMC on contractors including small entities and is only expected to apply to 1,104 small entities in year one.” Looking back at December’s proposed program rule, DoD anticipates that 719 of these year-one small entities would be able to self-assess, while 385 would need third-party assessment certification.
• Conjecture – If this new proposed rule follows a similar timeline to the December rule, then we might anticipate this second rule being finalized roughly 6-8 months after the close of the October public comment period. This would put it in the March-May 2025 timeframe, but this is only conjecture. It could come faster or slower. Either way, it appears that the finalization of this new rule may run concurrent with the initiation of DoD’s three-year phased implementations. Time will tell.

Implementation Questions Remain

There are not any big surprises in the latest proposal, but some questions remain to be answered.

The three-year phased roll-out will be met positively by most contractors who anticipate needing to obtain third-party certifications. However, DoD’s stated year-one industry impact expectations noted above are based on a seven-year phase-in period. (See Tables 4 and 5 in the December CMMC program rule linked above.) It is unclear how DoD will reconcile the seven-year phase-in with the latest three-year plan, and more importantly, how this will impact the DIB, especially small businesses.

A second implementation question that will take time to address is whether there will be enough third party assessment capacity available to meet the pace of the CMMC roll-out. This question is on the minds of the DoD as well as the CyberAB, the entity charged with developing the ecosystem of CMMC assessors. So far, the CyberAB leadership assures us that they are on track to keep pace with CMMC roll-out.  

Whatever the answer is to these and other questions, companies that currently or plan to do business with the DoD must prepare now for either their anticipated self-attestation or to obtain third-party assessments by implementing the underlying security practices required by CMMC. And primes should be preparing now to meet the subcontractor flow-down requirements. Failing to take these measures will place your business at DoD, and potentially other federal agencies, at risk.