ARTICLE
16 August 2024

DoD Publishes Proposed Rule To Amend DFARS Provisions Related To The CMMC 2.0 Program

BB
Bass, Berry & Sims

Contributor

Bass, Berry & Sims logo
Bass, Berry & Sims is a national law firm with nearly 350 attorneys dedicated to delivering exceptional service to numerous publicly traded companies and Fortune 500 businesses in significant litigation and investigations, complex business transactions, and international regulatory matters. For more than 100 years, our people have served as true partners to clients, working seamlessly across substantive practice disciplines, industries and geographies to deliver highly-effective legal advice and innovative, business-focused solutions. For more information, visit www.bassberry.com.
Explore Firm Details
On August 15, the Department of Defense (DoD) published a proposed rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate contractual requirements related to the proposed Cybersecurity Maturity Model Certification (CMMC) 2.0 program rule.
United States Government, Public Sector
Photo of Richard W. Arnholt
Photo of Adam Briscoe
Photo of Todd Overman
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

On August 15, the Department of Defense (DoD) published a proposed rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate contractual requirements related to the proposed Cybersecurity Maturity Model Certification (CMMC) 2.0 program rule.

As discussed in our previous blog post, DoD's CMMC 2.0 Program introduces mandatory cybersecurity certifications, phased implementation, and stringent compliance requirements for contractors and their subcontractors within the defense industrial base to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). This proposed rule follows the publication of an interim rule on September 29, 2020, under the same DFARS Case 2019-D041.

Key Changes in the Proposed Rule

The proposed rule primarily focuses on implementing the CMMC 2.0 Program framework. Below are the essential features of the proposed rule that contractors should be aware of:

1. Amendments to DFARS 204.7502, Policy

The amendments to DFARS 204.7502, Policy require that whenever a CMMC level is included in the solicitation, at the time of contract award, contractors must provide the results of a current CMMC certification or self-assessment at the specified level for all information systems involved in processing, storing, or transmitting FCI or CUI.

2. Adding Requirement to DFARS 204.7503, Procedures

Under DFARS 204.7503, Procedures, the proposed rule stipulates that contracting officers must collaborate with the program office or requiring activity to ensure, before awarding a contract, exercising an option, or when new DoD Unique Identifiers (UIDs) are issued, that (1) the results of a current CMMC certification or self-assessment at the required level, or higher, are posted in the Supplier Performance Risk System (SPRS) for each DoD UID linked to contractor information systems that process, store, or transmit FCI or CUI during contract performance; and (2) the selected offeror has a current affirmation of continuous compliance with the security requirements outlined in 32 CFR Part 170, also posted in SPRS for each relevant DoD UID.

3. Additions to DFARS 204.7501, Definitions

The proposed rule also adds a definition of "CUI" at DFARS 204.7501 for use only in the subpart based on the definition of CUI provided in 32 CFR 2002. It also adds definitions of "current" and "DoD UID."

4. New DFARS Provision, 252.204-7YYY, Notice of Cybersecurity Maturity Model Certification Level Requirements

The new DFARS Provision, 252.204-7YYY, Notice of Cybersecurity Maturity Model Certification Level Requirements, requires that solicitations provide notice to offerors regarding the required CMMC level and the necessity for the apparently successful offeror to have their CMMC certification or self-assessment results posted in SPRS prior to award unless electronically posted. Under the new DFARS clause, offerors are responsible for uploading their CMMC Level 1 and Level 2 self-assessments to SPRS, with Level 2 and Level 3 certification results being transmitted by the third-party assessment organization (3PAO) and the DoD assessor, respectively.

Additionally, under the new clause, apparently successful offerors must provide, upon the contracting officer's request, the DoD UIDs issued by SPRS for the contractor information systems involved in processing, storing, or transmitting FCI or CUI during contract performance.

Finally, the new DFARS clause specifies that if the required CMMC certification or self-assessment results and continuous compliance affirmation are not entered in SPRS, the apparently successful offeror will not be eligible for the award of the contract, task order, or delivery order.

5. Changes to DFARS 252.204-7021, Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement

The proposed rule includes several key changes to DFARS 252.204-7021, including:

  • New definitions are added for CMMC, "current" as it relates to CMMC, and DoD UID, and the scope statement is removed.
  • Contractors must maintain the required CMMC level throughout the contract's duration and submit DoD UIDs for any systems handling FCI or CUI.
  • Requires contractors to annually affirm continuous compliance with security requirements, with the provided affirmation made by a senior company official.
  • Contractors must notify the contracting officer of any changes in their information systems and provide corresponding DoD UIDs for review.
  • Requires contractors to ensure their subcontractors also meet the appropriate CMMC level before awarding subcontracts, and that these requirements are flowed down through all tiers of the supply chain.
  • Contractors must only transmit data on systems certified at the CMMC level specified in the contract. Contractors must also notify the contracting officer of any lapses or changes in CMMC certification that could impact information security, and that clause will clearly state the required CMMC level.

6. Adding DFARS 204.7504

This new clause adds the prescription for the new DFARS solicitation provision, 252.204-7YYY, Notice of Cybersecurity Maturity Model Certification Level Requirements. Specifically, DFARS 252.204-7YYY is prescribed for use in solicitations that include the clause at 252.204-7021. Further, the clause instructs contracting officers to apply the clause at DFARS 252.204-7021 to solicitations and contracts, task orders, or delivery orders that require the contractor to have a specific CMMC level, including solicitations and contracts using FAR Part 12 procedures for the acquisition of commercial products and commercial services, except for solicitations and contracts solely for the acquisition of commercial off-the-shelf (COTS) items.

7. Timing of the Requirement to Achieve a CMMC 2.0 Level Certification

In developing the proposed rule, DoD considered three options for when contractors should achieve CMMC 2.0 certification: (1) at the time of proposal submission; (2) at the time of award; or (3) after contract award. DoD chose to require certification at the time of award to balance the inherent risks. Specifically, requiring certification at the proposal stage could pose challenges for offerors who may not have enough time to obtain the certification, while delaying certification until after the award could introduce significant risks to the project schedule and disrupt the secure flow of information throughout the supply chain.

Analysis of Public Comments in Response to the Interim Rule

While this proposed rule does not finalize its preceding interim rule linked above, it does respond to public comments received in response to the interim rule that related to contractual requirements of the CMMC 2.0 Program. Below is a synopsis of some highly relevant comments addressed by DoD in the proposed rule.

  1. Regarding small business impacts for compliance with CMMC, DoD responded that the phased roll-out approach is intended to mitigate the impact of CMMC on contractors, including small entities, and is only expected to apply to 1,104 small businesses in year one.
  2. As for CMMC's applicability, DoD clarified that the provision and clause in this proposed rule: (1) only exempt contracts that are exclusively for the acquisition of COTS items; (2) that CMMC's applicability to Other Transaction Agreements (OTA) is outside the scope of this proposed rule, and that if the program office or requiring activity identifies a need to include a CMMC requirement in an OTA, it will be included in the solicitation and resulting agreement; and (3) that this proposed rule applies to contracts at or below the simplified acquisition threshold, but not to purchases at or below the micro-purchase threshold..
  3. On the apparent crossover of DFARS 252.204-7012 and DFARS 252.204-7021, DoD stated that while similar, DFARS 252.204-7012 and DFARS 252.204-7021 are not duplicative. Specifically, DoD explained that DFARS 252.204-7012, Safeguarding establishes cybersecurity requirements for contractors while DFARS 252.204-7021, Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirements, establishes requirements for an assessment of how well a contractor is meeting the cybersecurity requirements specified in DFARS 252.204-7012.
  4. Regarding prime contractors verifying subcontractor compliance, DoD stated that although there is not currently a tool for prime contractors to validate their subcontractors' CMMC certificates or self-assessments, prime contractors are expected to work with their suppliers to conduct verifications as they would under any other clause requirement that applies to subcontractors.
  5. For joint venture compliance, DoD stated that each individual entity that has a requirement for CMMC must comply with the requirements related to the individual entity's information systems that process, store, or transmit FCI or CUI during contract performance.
  6. In response to a comment that it appears the CMMC clause would be included in non-COTS item contracts with no FCI or CUI involved at the prime contractor and subcontractor levels, DoD clarified that the proposed rule prescribes the CMMC clause for use only in solicitations and contracts that require the contractor to have a specific CMMC level.

Public Comments and Next Steps

DoD is currently accepting public comments on this proposed rule until October 15, 2024, giving stakeholders an opportunity to provide DoD feedback on the proposed rule's impact, particularly concerning small businesses and the defense industrial base. Following the submission of public comments, DoD will review and address the comments and then begin the process of publishing the final rule, which is anticipated sometime in the first quarter of 2025.

Conclusion

This proposed rule marks a significant step in DoD's efforts to implement the CMMC 2.0 Program, and ultimately advance the DoD supply chain's security against cyber threats. Contractors can anticipate this final rule to be published sometime in the first quarter of 2025 with a phased roll-out of the CMMC 2.0 Program possibly beginning as early as next summer.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Richard W. Arnholt
Richard W. Arnholt
Photo of Adam Briscoe
Adam Briscoe
Photo of Todd Overman
Todd Overman
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More