Understanding the Proposed Cybersecurity Maturity Model Certification (CMMC) Rule: What Federal Contractors Need to Know

On August 15, 2024, the proposed rule to implement the Cybersecurity Maturity Model Certification (CMMC) program in the Defense Federal Acquisition Regulation Supplement (DFARS) was published in the Federal Register. This significant development marks a crucial step in enhancing cybersecurity measures for contractors working with the Department of Defense (DoD). With a 60-day comment period ending on October 15, 2024, stakeholders have a limited window to voice their opinions and concerns regarding the proposed changes.

Overview of the Proposed Rule

The proposed rule closely mirrors the Title 32 Code of Federal Regulations (CFR) CMMC proposed rule previously analyzed. While it does not introduce any major surprises, it significantly expands the text of the DFARS provision that will be included in DoD contracts. This expansion aims to clarify the various CMMC obligations that contractors and subcontractors must adhere to, ensuring a comprehensive understanding of the requirements.

Key Requirements for Contractors

The proposed DFARS 252.204-7021 clause outlines several critical requirements for contractors:

1. CMMC Certification or Self-Assessment: Contractors must possess a current CMMC certificate or self-assessment at the requisite CMMC level or higher.

2. Maintaining CMMC Levels: Contractors are required to maintain the specified CMMC level for the duration of the contract across all applicable information systems.

3. Data Handling: Only appropriate information systems should be used to store, process, or transmit data.

4. Notification of Security Lapses: Contractors must notify the contracting officer within 72 hours of any lapses in information security or changes in the status of their CMMC certificate or self-assessment levels.

5. Annual Compliance Affirmation: An affirmation of continuous compliance with security requirements must be completed and maintained annually or when changes occur.

6. Subcontractor Compliance: Contractors are responsible for ensuring that all subcontractors and suppliers also complete and maintain an annual affirmation of compliance.

Additionally, the proposed rule introduces a new section on reporting unique identifiers issued by the DoD for each information system included in the Supplier Performance Risk System (SPRS), results of contractor self-assessments, and any changes to the list of unique identifiers.

CMMC Program Basics

Understanding the foundational aspects of the CMMC program is essential for contractors as they prepare for its implementation:

• Phased Roll-Out: The CMMC program will be rolled out in phases over three years, with the DFARS clause becoming effective upon the issuance of a final rule, expected in early to mid-2025.

• Prime Contractor Responsibilities: Prime contractors will bear the responsibility for ensuring subcontractor compliance. Although DoD acknowledges that prime contractors do not have access to the SPRS database to verify subcontractor compliance, they are expected to conduct verifications.

• Applicability of CMMC Requirements: The proposed rule will apply to most DoD solicitations and contracts, including acquisitions of commercial products or services, with certain exceptions.

• CMMC Certification Timing: Contractors must complete their CMMC certification or self-assessment before contract award, as contracting officers will not be able to proceed with awards unless CMMC requirements are met.

Key Updates and Reminders

As contractors navigate the evolving landscape of CMMC requirements, several key updates and reminders are crucial:

1. Focus on Federal Contract Information: CMMC requirements apply to all contractor systems that store, process, or transmit Controlled Unclassified Information (CUI) or Federal Contract Information (FCI). While CUI has been a focal point, the importance of FCI will grow as companies must provide attestations and confirm self-assessments for basic security controls.

2. Unique Identifiers from DoD: Contractors will receive unique identifiers for applicable information systems from the DoD. The proposed rule mandates that contractors identify systems with CUI and FCI used in contract performance.

3. Affirmation of Continuous Compliance: A senior company official must provide an affirmation of continuous compliance with CMMC for each applicable information system as a prerequisite for contract award.

4. Reporting Changes: Contractors are required to report any lapses in information security or changes in CMMC levels within 72 hours. This new requirement may raise questions about the practicality of reporting minor changes.

Preparing for CMMC Implementation

As the anticipated rollout of CMMC approaches in 2025, federal contractors should take proactive steps to ensure compliance:

1. Determine Expected CMMC Levels: Assess the CMMC levels likely to apply to future contracts.

2. Account for Information Systems: Ensure all information systems supporting DoD contracts are accounted for in CMMC planning.

3. Evaluate Subcontractor Compliance: Assess the ability of subcontractors to meet CMMC requirements.

4. Review Internal Policies: Update internal policies and procedures as necessary to align with new requirements.

Conclusion

The proposed rule for the Cybersecurity Maturity Model Certification program represents a significant shift in how federal contractors must approach cybersecurity. As the comment period unfolds, it is crucial for stakeholders to engage with the proposed changes and prepare for the upcoming implementation. By understanding the requirements and taking proactive measures, contractors can position themselves for success in a landscape increasingly focused on cybersecurity resilience.