The U.S. Department of Defense’s Proposed Amendments to DFARS: Enhancing Cybersecurity in the Defense Industrial Base
In an era where cybersecurity threats are increasingly sophisticated and pervasive, the U.S. Department of Defense (DoD) is taking significant steps to bolster the security of its supply chain. The DoD has proposed amendments to the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate contractual requirements related to the Cybersecurity Maturity Model Certification (CMMC) 2.0 program. This initiative aims to create a robust framework for assessing and enhancing cybersecurity across the U.S. defense industrial base (DIB).
Background: The Need for Cybersecurity Enhancement
The impetus for these proposed amendments stems from the National Defense Authorization Act for Fiscal Year 2020, which directed the Secretary of Defense to develop a comprehensive framework to enhance cybersecurity within the DIB. The increasing frequency and severity of cyberattacks targeting defense contractors have underscored the necessity for stringent cybersecurity measures. The CMMC 2.0 program is designed to provide a structured approach to assess contractor compliance with cybersecurity requirements, thereby safeguarding unclassified information within the DoD supply chain.
The Proposed DFARS Rule
On August 15, 2024, the DoD published a notice in the Federal Register, inviting comments from stakeholders on the proposed DFARS rule. Interested parties have until October 15, 2024, to submit their feedback, which will be considered in the formulation of the final rule. The proposed rule aims to establish a clear set of requirements for contractors, ensuring that they meet specific CMMC levels based on the sensitivity of the information they handle.
CMMC 2.0: A Framework for Cybersecurity
CMMC 2.0 provides a comprehensive framework for assessing contractor implementation of cybersecurity requirements. It is designed to enhance the protection of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) within the defense supply chain. The phased rollout of CMMC will occur over three years, with the DFARS clause on ‘Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirements’ being prescribed for use in solicitations and contracts that require a specific CMMC level.
During this phase-in period, program offices will determine the inclusion of CMMC requirements in solicitations after consulting the CMMC 2.0 guidelines. This flexibility allows for a tailored approach to cybersecurity based on the unique needs of each contract.
Flowing Down Requirements to Subcontractors
One of the critical aspects of the proposed rule is the requirement for contractors to flow down CMMC certification requirements to subcontractors at all tiers. This is particularly important when subcontractors will process, store, or transmit FCI or CUI. By ensuring that all parties in the supply chain adhere to the same cybersecurity standards, the DoD aims to create a more secure environment for sensitive information.
Certification Timing and Compliance
The DoD has carefully considered the timing of CMMC 2.0 level certification requirements. After evaluating three alternatives, the decision was made to require certification at the time of award. This approach balances the need for timely compliance with the realities of contractors’ cybersecurity postures. It mitigates the risks associated with requiring certification at the proposal submission stage, where contractors may not have adequate time to achieve the necessary certification.
Impact on Contracts and Subcontracts
The proposed rule will apply to contracts and subcontracts valued above the micro-purchase threshold, including those for the acquisition of commercial products and services, excluding commercially available off-the-shelf (COTS) items. This broad application ensures that a significant portion of the defense contracting landscape is covered under the new cybersecurity requirements.
Information Collection and Compliance Costs
The proposed rule outlines the information collection requirements that will impact contractors during the first three years after the final rule’s effective date. Contractors will need to post the results of their CMMC self-assessments in the Supplier Performance Risk System (SPRS) and affirm continuous compliance with security requirements. While these activities will incur costs, the benefits of enhanced cybersecurity and reduced risk of malicious cyber activity are expected to outweigh them.
Benefits of the Proposed Rule
The primary benefit of the proposed rule is the increased assurance it provides to the DoD regarding a contractor’s ability to protect sensitive unclassified information. By incorporating third-party assessments into the CMMC framework, the DoD can verify that contractors are implementing adequate cybersecurity measures. This verification process is crucial for maintaining the integrity of the defense supply chain and protecting intellectual property from cyber threats.
Moreover, the proposed rule supports the broader goal of safeguarding national security by reducing the threat of cyberattacks that could have significant economic and strategic implications.
Conclusion
The proposed amendments to the DFARS represent a significant step forward in enhancing cybersecurity within the U.S. defense industrial base. By establishing clear requirements for CMMC certification and ensuring that these requirements flow down to subcontractors, the DoD is taking proactive measures to protect sensitive information from evolving cyber threats. As stakeholders prepare to submit their comments on the proposed rule, the focus remains on creating a secure and resilient defense supply chain that can withstand the challenges of the digital age.
Anna Ribeiro
Industrial Cyber News Editor
Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization, and IoT.
Read more from Anna Ribeiro