ARTICLE
27 August 2024

US DoD Proposes Final Rule To Incorporate Contractual Requirements For The Cybersecurity Maturity Model Certification (CMMC)

MB
Mayer Brown

Contributor

Mayer Brown logo
Mayer Brown is a distinctively global law firm, uniquely positioned to advise the world’s leading companies and financial institutions on their most complex deals and disputes. We have deep experience in high-stakes litigation and complex transactions across industry sectors, including our signature strength, the global financial services industry.
Explore Firm Details
On August 15, 2024, the Department of Defense (DoD) published a proposed rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS)...
United States Government, Public Sector
Photo of Adam S. Hickey
Photo of Luke Levasseur
Photo of Evan C. Williams
Photo of Jason C. Coffey
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

On August 15, 2024, the Department of Defense (DoD) published a proposed rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate contractual requirements related to the Cybersecurity Maturity Model Certification (CMMC) 2.0 program rule. The CMMC 2.0 program provides a framework for assessing contractor implementation of cybersecurity requirements and enhancing the protection of unclassified information within the DoD supply chain.

Comments on this proposed rule can be submitted within a 60-day comment period, which ends on October 15, 2024.

Background

You may be asking: Hasn't there already been a proposed final rule addressing the CMMC requirements? Yes; as we described in a previous Legal Update, DoD published a Proposed Final Rule for the implementation of the CMMC program on December 26, 2023.

Whereas that rule describes the specific implementation and security requirements of CMMC in Title 32 of the Code of Federal Regulations (CFR), the latest proposed rule sets forth the contract clauses necessary to implement the program in Title 48 of the CFR.1 In this regard, the latest proposed rule modifies the Federal Acquisition Regulation (FAR) and the DFARS. This latest proposed rule would make three changes of note:

  • Contractors would have to prove CMMC compliance at the level included in a given solicitation and maintain compliance throughout contract performance.
  • Agencies would have to provide notice to contractors of the CMMC level required by the solicitation for the procurement, and offerors will need to submit proof of compliance with the specified CMMC level.
  • Contractors would be required to notify contracting officers if a lapse in a CMMC level occurs and affects information security requirements during contract performance.

Proposed Changes in More Detail

Proof of CMMC Compliance

The proposed rule would require contractors to prove, as of the time of award, CMMC compliance at the level required when the CMMC level is specified in the solicitation. The rule would also require contracting officers to verify in the Supplier Performance Risk System (SPRS) that the results of CMMC compliance are posted in SPRS for each DoD unique identifier (DoD UID) and that an apparently successful offeror has affirmed continuous compliance with the security requirements in 32 CFR Part 170. In addition, the proposed rule adds definitions for Controlled Unclassified Information (CUI) and DoD UID to DFARS 252.204.7501 (definitions at 88 FR 66336).

DFARS 252.204-7YYY

The proposed rule also introduces a new DFARS provision, 252.204-7YYY, Notice of Cybersecurity Maturity Model Certification Level Requirements. This provision requires notice to contractors of the CMMC level required by the solicitation and of the proof of compliance required to be submitted in SPRS.

The provision requires:

  • Offerors to post CMMC Level 1 and 2 self-assessments in SPRS
  • Third-party assessment organizations to post Level 2 certificate assessments in SPRS
  • The DoD assessor to post the Level 3 certificate in SPRS

The proposed rule adds a prescription in DFARS 204.7504 barring apparently successful offerors who do not have the results of CMMC compliance posted in SPRS and who do not affirm continuous compliance with security requirements from contract award.

Lapses in CMMC Level and Other Provisions

The proposed rule amends the CMMC requirements set forth in DFARS 252.204-7021 to add a requirement that contractor information systems that process, store, or transmit Federal Contract Information (FCI) or CUI during contract performance must meet a CMMC certification level as required in the contract. Additionally, contractors would be required to notify the contracting officer if they are unable to maintain the required CMMC certification level necessary to satisfy the relevant information security requirement during contract performance.

This revised DFARS clause would also require contractors to have a senior company official affirm (on an annual basis) continuous compliance with applicable CMMC requirements.

Finally, the proposed rule states that the clause applies to solicitations, contracts, task orders, or delivery orders that require a contractor to maintain a specific CMMC level, including those for the acquisition of commercial services and products, excluding commercially available off-the-shelf (COTS) items.

Implementation Details

The proposed rule would follow the phased roll-out process described in prior CMMC 2.0 rulemaking actions. During the three-year phase-in period, the requirements would only apply when the solicitation or contract requires a specific CMMC level. After this period, the requirements would apply to all contracts for which the contractor processes, transmits, or stores FCI or CUI during contract performance.

Conclusion

Comments regarding this proposed rule are due on October 15, 2024, and the rule could be finalized as soon as SPRING 2025. Once the rule is finalized, the three-year phase-in period would begin on the effective date of the final rule, and, in year four, the requirements would apply to all contracts for which the contractor processes, transmits, or stores FCI or CUI during contract performance.

Footnote

1. This latest proposed rule also addresses the public comments to the Interim Rule under DFARS Case No. 2019-D41, which was published on September 29, 2020.

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2024. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.

Authors
Photo of Adam S. Hickey
Adam S. Hickey
Photo of Luke Levasseur
Luke Levasseur
Photo of Evan C. Williams
Evan C. Williams
Photo of Jason C. Coffey
Jason C. Coffey
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More