Go-To Guide: |
|
On Aug. 15, 2024, the Department of Defense (DoD) published a proposed rule that would implement contract clauses under 48 CFR related to the Cybersecurity Maturity Model Certification (CMMC) Program (Proposed Rule).1 DoD previously published a related proposed rule that would implement the CMMC 2.0 Program under 32 CFR 170 and provided the relevant security requirements.2
This latest Proposed Rule would introduce changes to the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate contractual clauses to implement the CMMC Program. The Proposed Rule would modify the original CMMC contract clause, which DoD drafted in a Sept. 29, 2020, interim rule implementing the original CMMC Program (DFARS 252.204-7021).
Key elements of the proposed contract clauses include:
- Requirement to enter the CMMC certificate or self-assessment results into the Supplier Performance Risk System (SPRS) at the specified CMMC level at the time of the contract award.
- Affirmation of continuous compliance for each of the contractor information systems that process, store, or transmit federal contract information (FCI) or controlled unclassified information (CUI).
- Notification to the contracting officer of any changes in the contractor’s information systems that process, store, or transmit FCI or CUI during contract performance.
- Include CMMC requirements in applicable subcontracts.
Interested contractors should submit their comments on the Proposed Rule by Oct. 15, 2024. To date, there have been 45 comments on the rule publicly posted to the docket.
DoD will adjudicate each of the comments before issuing the final rule. Given that DoD previously received public comments to the interim rule and responded to those in the Proposed Rule preamble, the adjudication process may be quick. DoD also received comments on the 32 CFR 170 program requirements earlier this year, and a final version of that rule may be released before the end of the year. DoD may also choose to release final versions of the rules at the same time, which would advise contractors of the effective start date(s). DoD may finalize these rules in early 2025, kicking off the CMMC program rollout.
Olivia Bellini also contributed to this article.