Getting your Trinity Audio player ready... |
The Defense Department recently proposed a new rule, published in the Federal Register on August 15, detailing how it plans to integrate the Cybersecurity Maturity Model Certification (CMMC) program into its contracting process. The CMMC program is designed to assess whether companies handling sensitive unclassified information comply with the department’s cybersecurity requirements.
Since its announcement in 2019, the CMMC program has evolved through several versions, with the current iteration, known as CMMC 2.0, introducing three certification levels that vary depending on the type and sensitivity of the information a company handles. Companies at Level 1 and some at Level 2 can conduct self-assessments to verify compliance. However, certain Level 2 contractors will require certification from a third-party assessor, while all Level 3 assessments will be conducted by government assessors.
The proposed rule includes a provision requiring the Defense Department to notify contractors of the specific CMMC level required by a solicitation. Additionally, it mandates that the successful offeror must post the required CMMC certification or self-assessment results in the department’s Supplier Performance Risk System before a contract is awarded.
Further, the rule proposes amendments to the Defense Federal Acquisition Regulation Supplement, necessitating that contractors, at the time of award, provide current CMMC certification or self-assessment results at the required level for all information systems processing, storing, or transmitting federal contract information (FCI) or controlled unclassified information (CUI) during contract performance.
Another critical aspect of the proposed rule is the requirement for prime contractors to ensure that all CMMC requirements are passed down to their subcontractors. This means that prime contractors must verify that their subcontractors not only understand but also comply with the necessary CMMC levels for handling FCI or CUI.
The rule also introduces an annual requirement for contractors to reaffirm their continuous compliance with the required CMMC level for ongoing contracts. Contractors must report any changes to their compliance status, which could have significant repercussions, particularly in light of recent attention to False Claims Act violations.
To ease the financial burden and minimize supply chain disruptions, particularly for small businesses, the Defense Department has outlined a three-year phased rollout of the CMMC program. During this period, the CMMC requirement will be included only in certain contracts, with full implementation expected after three years.
The Defense Department estimates that after the three-year rollout, approximately 35 percent of companies will need Level 2 third-party certification. However, some experts believe this estimate may be low, as the presence of controlled unclassified information (CUI) in contracts has likely been underreported.
The proposed rule also provides a definition of CUI, clarifying it as information that the government creates or possesses, or that an entity creates or possesses on behalf of the government, which requires safeguarding or dissemination controls as mandated by law, regulation, or government-wide policy.
The Defense Department will accept public comments on the proposed rule until October 15. After reviewing the feedback, the department will aim to balance the needs of the defense supply chain with the necessity of enforcing robust cybersecurity practices.
As the CMMC program continues to gain momentum, many prime contractors are already working to ensure their suppliers meet the required standards, preventing disruptions in existing or future contracts. The progress toward CMMC implementation marks a significant and necessary step forward in securing the defense supply chain against ever-increasing cyber threats.