Background
On August 15, 2024, the Department of Defense (DoD) proposed amending the Defense Federal Acquisition Regulation Supplement (DFARS) to evaluate contractor cybersecurity (Cybersecurity Assessment Proposed Rule). Contractors already need documented, adequate security for handling sensitive information, but the proposed amendment creates a compliance verification mechanism. The amendment generally requires that prior to an award or extension, contractors must provide current results of a cybersecurity assessment under the Cybersecurity Maturity Model Certification (CMMC) 2.0, a proposed rule from late 2023 establishing a three-tiered security evaluation framework based on the type of information handled (CMMC 2.0 Proposed Rule).
The comment period for the Cybersecurity Assessment Proposed Rule will remain open until October 15, 2024. If the companion CMMC 2.0 Proposed Rule is finalized by the end of 2024, defense contractors may start seeing CMMC requirements in their contracts by spring 2025. Given this timeframe and the proposed rules’ stipulation that contractors must comply before a contract is awarded, defense contractors should start the CMMC compliance process now to ensure they don’t lose opportunities to bid on future contracts.
The three CMMC 2.0 compliance levels for contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) are as follows:
Level | Handling | Security Controls |
1 | FCI | 17 controls required by the Federal Acquisition Regulation (FAR) 52.204-21. |
2 | CUI | 110 controls aligned with NIST SP 800-171 Rev. 2. |
3 | CUI | These have not yet been released, but DoD indicated they will include the Level 2 controls in addition to a subset of NIST SP 800-172 controls. |
While the CMMC 2.0 Proposed Rule created the CMMC 2.0 framework, it did not explain how DoD would implement the CMMC. The Cybersecurity Assessment Proposed Rule is designed to close this loop.
The Cybersecurity Assessment Proposed Rule
Under the proposed amendment, when a CMMC level is included in a solicitation or contract, contracting officers will not make award, exercise an option, or extend the period of performance on a contract if the contractor does not have the following information in the Supplier Performance Risk System (SPRS) by the time the contract is awarded: (i) the results of a current certification or self-assessment for the required CMMC level or higher; and (ii) an affirmation of continuous compliance with the CMMC security requirements. Consequently, many contractors must start their compliance process now to ensure compliance by the time DoD begins inserting CMMC provisions in new contracts and extensions.
The CMMC certification information must exist in SPRS for each information system that will process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) during contract performance. Note the proposed amendment defines CUI as “information the government creates or possesses, or an entity creates or possesses for or on behalf of the government, that a law, regulation, or governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls.” Prime contractors must also flow the CMMC certification requirements down to their subcontractor(s) at all tiers when the subcontractor(s) will process, store, or transmit FCI or CUI on the prime contractor’s behalf. The certification level required for subcontractors will be the same as it would be for the prime contractor if the prime contractor were handling the same information.
During contract performance, contractors must notify contracting officers within 72 hours when there are any “lapses in information security or changes in CMMC compliance,” although these concepts are not defined in the proposed rule. Moreover, “current” with regard to CMMC certification means the following, assuming there are no changes in CMMC compliance since the assessment date:
- not older than 1 year for Level 1 self-assessments
- not older than 3 years for Level 2 certificates and self-assessments
- not older than 3 years for Level 3 certificates
- not older than 1 year for affirmations of continuous compliance with the security requirements
Contractors will post CMMC Level 1 and Level 2 self-assessments into SPRS. Level 2 certificate assessment results will be electronically transmitted to SPRS by the third-party assessment organization, and Level 3 certificate assessment results will be electronically transmitted to SPRS by the DoD assessor.
Implementation of the proposed rule follows a phased approach. For the first three years, inclusion of a CMMC requirement in a solicitation is determined by the program office or requiring activity after consulting CMMC 2.0 provisions. Contractors will know that CMMC applies to the contract, and the specific compliance level required, based on the inclusion of DFARS 252.204-7YYY in the solicitation. However, the Cybersecurity Assessment Proposed Rule does not specify how the CMMC Program Office will identify these contracts.
While this rollout ensures that only a limited number of prime contractors will need to be CMMC certified in the near-term, many subcontractors may need the certifications along with the prime contractors. As aforementioned, prime contractors must flow the same certification requirements to subcontractors handling FCI or CUI.
After the phase-in period, CMMC applies to all DoD solicitations and contracts, including those for the acquisition of commercial products or commercial services that involve processing, storing, or transmitting FCI or CUI with the exception that the proposed rule exempts purchases below the micro-purchase threshold and for commercial-off-the-shelf items.
Our Take
As CMMC moves closer to full implementation, contractors should keep several important points in mind from the latest proposed rule:
Now is the time for compliance. The latest proposal makes it clear that the CMMC program is moving forward despite past delays. Contractors should not wait until the requirements appear in solicitations to begin the certification process. According to the Government Accountability Office, typically a month lies between solicitation and contract award, leaving little time for contractors and subcontractors to comply if they haven’t already completed the required assessments.
Ongoing focus on cybersecurity is essential. With the growing demand for and scrutiny of cybersecurity, CMMC will remain a priority for regulators tasked with protecting sensitive information. For contractors and subcontractors handling FCI and CUI, compliance and certification are not one-time events but continuous obligations. Cybersecurity must remain a daily focus for DoD contractors, involving regular recertification, preventing compliance lapses, notifying contracting officers of any changes, and understanding and implementing measures to meet potentially stricter notification requirements.
Significant uncertainty persists. Contractors should carefully document their cybersecurity procedures and any assumptions made during the certification process. Keeping a real-time record of the reasoning behind their interpretation of any unclear or vaguely defined aspects of CMMC may prove vital in defending against future enforcement actions.
Getting Ready. All contractors that handle FCI or CUI should start developing a robust plan to become CMMC certified and start aligning their security posture to CMMC’s requirements before it is fully implemented.