Sequels are rarely better than the films that precede them, and yet, sometimes a story is just too compelling to be limited to just one film. At the tail end of a summer full of Hollywood sequels, the Department of Defense (DoD) released a long-gestating sequel of its own. On August 15, 2024, DoD published a Proposed Rule that would revise the DoD Federal Acquisition Regulation Supplement (DFARS) to implement Cybersecurity Maturity Model Certification (CMMC) 2.0 into DoD contracts in the near(ish) future. This follows a December 2023 Proposed Rule, discussed here, establishing the CMMC 2.0 requirements in broad strokes. In this latest Proposed Rule, DoD proposes several changes to the DFARS that would do the following:

1. Incorporate the December 2023 CMMC 2.0 requirements.
2.  Add key definitions to the DFARS.
3. Establish a solicitation provision and prescription.
4. Revise the existing DFARS 252.204-7021 clause language and prescription to reflect the new (and hopefully improved) CMMC 2.0.

While this Proposed Rule features some of our favorite characters from earlier CMMC feature presentations (such as DFARS 252.204-7021), there are some significant plot changes and graver stakes. This Proposed Rule doesn’t wrap up the story, however, as there are still ambiguities in the Proposed Rule that raise some significant questions—and concerns—for contractors trying to position themselves to meet the CMMC requirements. And perhaps there’s even a cliff-hanger ending.

DFARS Language Callbacks

The Proposed Rule would make several key changes to the DFARS to incorporate the CMMC 2.0 Requirements, including:

• New definitions at DFARS 204.7501 for (1) controlled unclassified information (CUI) (based on the 32 CFR 2002 definition of CUI); (2) current (as it relates to CMMC certificates, self-assessments, and affirmations of continuous compliance); and (3) DoD unique identifier (DoD UID) (which is an identifier assigned within the Supplier Performance Risk System (SPRS) to each contractor assessment)
• Amendments to DFARS 204.7502, Policy, requiring a current CMMC certificate or CMMC self-assessment for all information systems that process, store, or transmit Federal contract information (FCI) or CUI during contract performance at the appropriate level at the time of award and to maintain that certificate or self-assessment throughout the life of the contract
• A new requirement at DFARS 204.7503, Procedures, requiring contracting officers to include the required CMMC level in the solicitation and contract, and to verify in SPRS, prior to awarding a contract, exercising an option, or when a new DoD UID is provided, that:
  • A current CMMC certificate or current CMMC self-assessment at the level required by the solicitation, or higher, is posted in SPRS for each DoD UID applicable to each of the contractor information systems that will process, store, or transmit FCI or CUI and that will be used in performance of the contract.
  • The successful offeror has a current affirmation of continuous compliance with the security requirements identified at 32 CFR part 170 in SPRS for each DoD UID applicable to each of the contractor information systems that process, store, or transmit FCI or CUI and that are used in performance of the contract.
• A new DFARS provision, 252.204-7YYY, Notice of Cybersecurity Maturity Model Certification Level Requirements, that will provide notice to offerors of the CMMC level required by the solicitation and of the CMMC certificate or self-assessment results that are required to have been posted in SPRS by the apparently successful offeror prior to award

Perhaps of most interest to the majority of contractors, however, are the proposed changes to the clause at DFARS 252.204-7021, Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement. The clause, which will be required in all solicitations and contracts, task orders, or delivery orders that require the contractor to have a CMMC certificate or CMMC self-assessment at a specific level, is directed to be included even in contracts for commercial products and commercial services (except for those contracts exclusively for commercially available off-the-shelf (COTS) items). While this clause has been on the books since January 2023, it has not been in regular use as DoD refined and updated the CMMC requirements. The Proposed Rule includes several changes and/or enhancements to the clause, including requirements for the contractor to:

• Have and maintain the required CMMC level for the life of the contract for all information systems used in performance of the contract that process, store, or transmit FCI or CUI.
• Only transmit data on information systems that process, store, or transmit FCI or CUI during contract performance that have a CMMC certificate or CMMC self-assessment at the CMMC level required by the contract.
• Complete and maintain an affirmation of continuous compliance with the security requirements identified at 32 CFR part 170 (to be completed by a “senior company official” as that term will be defined in 32 CFR 170.4) on an annual basis and when “security changes” occur.
• Notify the contracting officer within 72 hours when there are any lapses in information security or changes in the status of CMMC certificate or CMMC self-assessment levels during performance of the contract.
• Ensure that subcontractors also have the appropriate CMMC level prior to awarding a subcontract (to include consulting 32 CFR part 170 related to flowing down information) and include the requirements of the clause in subcontracts.

Costars and Subcontractors

Subcontractor compliance with the CMMC requirements is a key focus of this Proposed Rule and the December 2023 Proposed Rule, as the CMMC framework is intended to enhance the protection of FCI and CUI at all levels of the DoD supply chain (to the extent such information flows down). The proposed revised clause at DFARS 252.204-7021 will flow down to subcontracts, including subcontracts for commercial products and services, where there is a requirement under the subcontract to meet a CMMC level.

The subcontract requirement level will be determined by the prime contractor based on its review of the requirements in 32 CFR part 170. The Proposed Rule points to the December 2023 Proposed Rule for guidance on this topic; however, commenters on that Proposed Rule expressed concern about how the process will unfold, and there is still some ambiguity about how prime contractors are to identify and assign the appropriate CMMC level to their subcontracts. In any case, once that level is identified and assigned, prior to award of the subcontract, the prospective subcontractor must have a current CMMC certificate or current CMMC self-assessment at the CMMC level that is appropriate for the information to be flowed down to the subcontractor. While this may seem like a straightforward flow-down requirement, the implementation of this requirement is likely to be messy. For example, there is likely to be a learning curve as prime and higher-tier subcontractors wrestle with the requirements at 32 CFR part 170 to determine the appropriate CMMC level to flow down into existing or necessary—and perhaps reticent—supply chains. In addition, prime contractors do not currently have the ability to electronically verify their subcontractors’ information. Recognizing this (but offering no practical solution), DoD notes in the Proposed Rule that prime contractors are “expected to work with their suppliers to conduct verifications as they would under any other clause requirement that applies to subcontractors.” 89 FR 66331. While perhaps loosely folding into the area of “subcontractor responsibility,” the present proposed rules do not offer contractors any concrete guidance as to how to ensure these requirements are appropriately flowed down to subcontractors, and we expect many comments to the Proposed Rule will focus on this critical issue.

Pacing and CMMC Phased Rollout

Consistent with the December 2023 Proposed Rule, the Proposed Rule envisions a phased rollout of CMMC. Once final, the CMMC 2.0 requirements are expected to be phased in over a three-year period. During this time, inclusion of the CMMC requirements into solicitations/contracts will be determined by the program office or requiring activity after review of the requirements to be enacted at 32 CFR part 170 (and, if the requirements are included in a contract, they must appropriately be flowed down to subcontractors at all tiers when the subcontractor will process, store, or transmit FCI or CUI). Following this phase-in period, a CMMC level will apply to allDoD solicitations and contracts valued at greater than the micro-purchase threshold that involve processing, storing, or transmitting FCI or CUI, including those for commercial products or commercial services (except those exclusively for COTS items). Of course, this phase-in period cannot begin until both this Proposed Rule and the December 2023 Proposed Rule are finalized, the timing of which is still unknown. However, this gives contractors some sense of the runway they can anticipate once the requirements are in final form.

Comments on the Proposed Rule are due on or before October 15, 2024. Contractors will want to carefully examine the proposed revisions to the DFARS and press DoD to clarify any ambiguities or address any potential challenges in implementation of the requirements. In addition to the issues noted above, one issue of particular note is the requirement in the revised DFARS 252.204-7021 to notify the Contracting Officer within 72 hours of any “lapses in information security” or changes in that status of CMMC certificate or CMMC self-assessment levels during performance of the contract. This 72-hour period mirrors the reporting requirements in DFARS 252.204-7012, which requires rapid reporting of “cyber incidents.” However, unlike DFARS 252.204-7012, which defines “cyber incident,” the new DFARS 252.204-7021 does not identify what constitutes “lapses in information security.” This leaves this critical requirement open to countless interpretations, increasing risk for contractors attempting to comply with the requirements and diluting any potential benefits DoD may derive from this reporting requirement.

Thus, after a long history of publicity, there is some welcome CMMC character (er—regulatory) development in the Proposed Rule, but many questions remain unanswered. We hope that DoD is not pitching a trilogy—or, worse, a franchise—behind the scenes, and that these questions will be addressed in the Final Rule.

[View source.]