Department of Defense’s Proposed Amendment to DFARS for Inclusion of Cybersecurity Maturity Model Certification in Contracts

Kathryn Rattigan
Robinson+Cole Data Privacy + Security Insider
Contact
LinkedIn
Facebook
X
Send
Embed

Last week, the U.S. Department of Defense (DoD) released a proposed amendment to the Defense Acquisition Regulations Supplement (DFARS) that would require a Cybersecurity Maturity Model Certification (CMMC) program to become a required part of the DoD’s contracting process. The CMMC program is a DoD program that helps businesses meet security requirements for their work with the DoD. The program aims to protect sensitive information shared with contractors and subcontractors and to ensure that industries meet cybersecurity requirements for systems that process Controlled Unclassified Information (CUI).

The proposed DFARS amendment would create a provision in all DoD solicitations that notify contractors of CMMC requirements. The amendment would require contractors to either self-assess that they comply with cybersecurity requirements or obtain a third-party certification, depending on the sensitivity of the data involved in the contract. The self-assessment or certification would be submitted to the DoD upon the awarding of a contract.

The DoD had previously considered requiring certification after the contract award, but the DoD determined that such a timeline would cause “increased risk to DoD with respect to the schedule and uncertainty due to the possibility that the contractor may be unable to achieve the required CMMC level in an amount of time given their current cybersecurity posture.”

The proposed rule also includes a 3-year phased rollout of the CMMC requirements in order to minimize the financial impact on businesses and disruptions to DoD supply chains. The rollout could begin as early as the Summer of 2025.

Of note, DoD program managers will have discretion during the phase-in period as to the CMMC requirements in contracts with contractors.

At the end of the rollout period, the DoD estimates the following:

  • 35% of contractors that handle CUI will need to obtain a Level 2 CMMC third-party certification.
  • 65% of contractors will require a Level 1 CMMC self-assessment.

While most DoD contractors only have federal contract information, some do receive and maintain CUI. However, contractors that only sell commercial off-the-shelf items won’t be implicated by this amended rule, nor will contractors that conduct mundane tasks for the DoD, such as landscaping or other work on DoD premises. The comment period on the proposed DFARS rule will close on October 14, 2024. To learn more about CMMC and review the proposed rule, click here

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Robinson+Cole Data Privacy + Security Insider

Written by:

Robinson+Cole Data Privacy + Security Insider
Robinson+Cole Data Privacy + Security Insider
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide