Last week, the U.S. Department of Defense (DoD) released a proposed amendment to the Defense Acquisition Regulations Supplement (DFARS) that would require a Cybersecurity Maturity Model Certification (CMMC) program to become a required part of the DoD’s contracting process. The CMMC program is a DoD program that helps businesses meet security requirements for their work with the DoD. The program aims to protect sensitive information shared with contractors and subcontractors and to ensure that industries meet cybersecurity requirements for systems that process Controlled Unclassified Information (CUI).
The proposed DFARS amendment would create a provision in all DoD solicitations that notify contractors of CMMC requirements. The amendment would require contractors to either self-assess that they comply with cybersecurity requirements or obtain a third-party certification, depending on the sensitivity of the data involved in the contract. The self-assessment or certification would be submitted to the DoD upon the awarding of a contract.
The DoD had previously considered requiring certification after the contract award, but the DoD determined that such a timeline would cause “increased risk to DoD with respect to the schedule and uncertainty due to the possibility that the contractor may be unable to achieve the required CMMC level in an amount of time given their current cybersecurity posture.”
The proposed rule also includes a 3-year phased rollout of the CMMC requirements in order to minimize the financial impact on businesses and disruptions to DoD supply chains. The rollout could begin as early as the Summer of 2025.
Of note, DoD program managers will have discretion during the phase-in period as to the CMMC requirements in contracts with contractors.
At the end of the rollout period, the DoD estimates the following:
- 35% of contractors that handle CUI will need to obtain a Level 2 CMMC third-party certification.
- 65% of contractors will require a Level 1 CMMC self-assessment.
While most DoD contractors only have federal contract information, some do receive and maintain CUI. However, contractors that only sell commercial off-the-shelf items won’t be implicated by this amended rule, nor will contractors that conduct mundane tasks for the DoD, such as landscaping or other work on DoD premises. The comment period on the proposed DFARS rule will close on October 14, 2024. To learn more about CMMC and review the proposed rule, click here