On August 15, 2024, the Department of Defense (DOD) announced the much-anticipated Proposed Rule that would amend the Defense Federal Acquisition Regulation Supplement (DFARS) to include Cybersecurity Maturity Model Certification 2.0 (CMMC) Program contract clauses and requirements.  Among the most important aspects of the Proposed Rule, it would require contractors to submit at the time of contract award a CMMC self-assessment or certificate from a third-party or DOD evaluator, depending on what CMMC level is required by the solicitation, for “all information systems that process, store, or transmit” certain controlled information, and to maintain that level of security through the life of the contract.  As announced last December in a related CMMC Proposed Rule, Level 1 and some Level 2 requirements would continue to allow self-assessments by contractors, while other Level 2 assessments must be done by third-party assessment organizations (C3PAOs), and all Level 3 certifications would require a DOD assessment.  Contractors must report their self-assessments in the Supplier Performance Risk System (SPRS), which is the government’s online portal used to assess cybersecurity compliance by contractors.  C3PAO and DOD assessments would be sent directly to SPRS by the evaluators. Offerors who do not meet the CMMC certification requirements would not be eligible for award.

DOD plans to gradually implement the new CMMC requirements–primarily through contract clause DFARS 252.204-7021 (Contractor Compliance With the Cybersecurity Maturity Model Certification Requirements)–over a three-year phase-in period, after which the Government would require the clause in nearly all DOD solicitations and contracts that involve processing, storing, or transmitting controlled unclassified information (CUI) and federal contract information (FCI).  In the meantime, DOD program offices or procuring activities would decide whether CMMC requirements are included in a solicitation “after consulting the CMMC 2.0 requirements at 32 FR Part 170.”   

The Proposed Rule also includes a new DFARS regulation requiring notice to offerors of the specific CMMC compliance level required by the solicitation, which will allow contractors to evaluate their state of cyber compliance prior to pursuing a federal contract for which they may be ineligible.  Other important requirements in the Proposed Rule include the following:

  • Contractors must maintain the applicable CMMC level for the life of relevant contracts and affirm compliance annually and at any point at which there is a change to their information security systems.

These additional certifications would not meaningfully change the CMMC compliance requirements—contractors would have to maintain the applicable CMMC level for the life of the contract regardless.  But the express certification of compliance would make it easier for the government to prosecute a contractor under the False Claims Act (FCA), which penalizes false statements that are material to the government’s decision to pay a contractor’s claims.  Since 2021, the Department of Justice (DOJ) has been running a Civil Cyber-Fraud Initiative, enforcing cybersecurity regulations through FCA investigations and prosecutions.  Contractors can expect the DOJ to pay special attention to CMMC compliance in the coming years.

  • Contractors must submit to contracting officers the DOD unique identifiers assigned to each contractor information system that will process, store, or transmit covered information.  The unique identifiers are ten-digit numbers assigned through CMMC self-assessments and certificates.

Under the proposed CMMC requirements, DOD will track every information system that contractors use to handle FCI and CUI.  To prepare for CMMC 2.0 implementation, contractors should take inventory of their information systems that may be used on DOD contracts so that they can report accurately when the time comes.

  • Contractors must flow down CMMC requirements in their subcontracts and “other contractual instruments,” and ensure that their subcontractors who handle CUI or FCI possess the appropriate level of CMMC compliance.

This flow-down requirement is notable for its inclusion of “other contractual instruments,” which extends CMMC compliance obligations to virtually anyone doing business with a DOD prime or subcontractor that would touch FCI or CUI.  Other contractual instruments could include supplier agreements, grants, and cooperative agreements.  Given the burden and complexity of monitoring compliance by vendors and other minor subcontractors, this should motivate DOD contractors to minimize unnecessary FCI and CUI sharing.  

  • Contractors must notify contracting officers of any changes in their cyber information systems that involve covered information, and report lapses in information security or changes to CMMC certification to the government within 72 hours. 

DOD contractors will need to ensure that IT personnel understand the company’s CMMC compliance obligations and have a clear procedure for quickly reporting IT changes or security lapses to the legal department to evaluate whether a disclosure is necessary.

The public comment period for the Proposed Rule is underway and will close on October 15, 2024.  But DOD contractors can start preparing for the final rule now by examining their cybersecurity systems and planning their approach to CMMC compliance should the rule become final.  Obtaining CMMC certification at the highest level can take more than a year, so it is never too early to start the process.