The Department of Defense Issues New Proposed Rule Implementing Contractual Requirements Related to CMMC 2.0

Meghan Doherty, Brian Finch, Aaron Ralph, Toghrul Shukurlu
Pillsbury Winthrop Shaw Pittman LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Pillsbury Winthrop Shaw Pittman LLP

The DoD takes yet another step towards full implementation of CMMC 2.0.

Takeaways

  • The proposed rule aims to implement many of the aspects of the Cybersecurity Maturity Model Certification program by amending the Department of Defense Federal Acquisition Regulation Supplement.
  • Under the proposed rule, self-assessment or certification results will be required to be transmitted to the Supplier Performance Risk System at the time of award for the offeror to be eligible for award.
  • Self-assessment and certification results will not be publicly available—they will only be viewable by government officials and the assessed or certified contractor itself.

On August 15, 2024, the Department of Defense (DoD) released a long-awaited proposed rule implementing certain requirements of the Cybersecurity Maturity Model Certification (CMMC) program 2.0. As we have previously reported, CMMC is a program developed by the DoD to protect the Defense Industrial Base from cyber threats. Under this program, nearly all DoD contractors and subcontractors will be required to achieve certain levels of cybersecurity maturity. The DoD first announced the CMMC program in 2019, then issued an initial version of the program (CMMC 1.0) in November 2020. In November 2021, the DoD announced that it would be overhauling the CMMC and replacing it with CMMC 2.0. The purpose of CMMC 2.0 was to restructure the CMMC program and to reduce the cost and administrative burden of achieving cybersecurity compliance. On December 26, 2023, the DoD issued a proposed rule and related guidance implementing many aspects of CMMC 2.0. The newly released proposed rule would amend the Department of Defense Federal Acquisition Regulation Supplement (DFARS) to implement the contractual requirements related to CMMC 2.0. This new proposed rule is largely consistent with the December 26, 2023, proposed rule, but provides additional detail about how the CMMC program will be administered and introduces new contract clauses to implement the program.

Under the proposed rule, DoD contractors will be required be obtain either a third-party certification or conduct a self-assessment of their compliance with applicable cybersecurity requirements for all information systems that process, store or transmit federal contract information (FCI) or controlled unclassified information (CUI). Contractors will be required to post the results of their Level 1 or Level 2 self-assessments to Supplier Performance Risk System (SPRS). Level 2 certificate assessment results will be transmitted to SPRS by the third-party assessment organization, and Level 3 certificate assessment results will be transmitted to SPRS by the DoD assessor.

Apparently successful offerors and contractors will be required to have the results of a current certification or self-assessment and affirmation of continued compliance with applicable cybersecurity requirements uploaded to SPRS at the time of the award of a new contract, exercise of an option, or extension of a period of performance of a contract. Contracting Officers will be required to verify the certification or self-assessment via SPRS prior to the award of a contract, exercise of an option or extension of a period of performance. These CMMC certification requirements will be required to be flowed down to subcontractors at all tiers where the subcontractor will process, store or transmit FCI or CUI. Notably, the proposed rule states that contracting officers must verify that CMMC results are posted in SPRS for each of the contractor information systems that will process, store or transmit FCI or CUI in performance of the contract. This suggests that prime contractors will be required to affirmatively identify each subcontractor information system that will handle CUI prior to award so that the DoD can perform this review.

The proposed rule also introduces the concept of DoD unique identifiers (DoD UIDs). A DoD UID is an alpha-numeric identifier that will be assigned to each contractor information system being certified or self-assessed. DoD UIDs will be assigned by SPRS after the results of each certification or self-assessment are transmitted to the system. At the request of a contracting officer, contractors will be required to provide DoD UIDs for each information system that will process, store or transmit FCI or CUI during performance of a particular contract.

The proposed rule confirms that contractors’ certifications and self-assessment scores will not be publicly available on SAM.gov. This raises the question of how prime contractors will ensure subcontractor compliance as they will be unable to independently vet a subcontractor’s CMMC level via the government website (contractors can only view their own SPRS entries). The limited availability of SPRS information also creates difficulty for competitors alleging failure to comply with CMMC 2.0 requirements as a basis to protest an award.

Significantly, the new rule would also require contactors to “[n]otify the Contracting Officer within 72 hours when there are any lapses in information security or changes in the status of CMMC certificate or CMMC self-assessment levels during performance of the contract.” Contractors are likely to find this reporting requirement problematic for many reasons. For one, contractors will have less ability to conduct internal self-assessments and remediate areas before notifying the government. Additionally, if the final rule is not amended, contractors may struggle to determine whether a reportable “lapse” has occurred, as this term is undefined and is not explicitly limited to covered information systems or the CUI or FCI residing on those systems. Additionally, contractors with multiple contracts subject to this new clause may have to make multiple reports for one incident because the proposed contract clause requires reporting to the contracting officer rather than a centralized location.

As explained in the December 2023 proposed rule, the phased rollout of CMMC will begin once this new proposed rule is finalized. Interested parties my comment on the proposed rule by October 15, 2024. Thus, the publication of this proposed rule provides yet another indication that CMMC 2.0 is around the corner and that contractors should be ready for its implementation.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Pillsbury Winthrop Shaw Pittman LLP

Written by:

Pillsbury Winthrop Shaw Pittman LLP
Pillsbury Winthrop Shaw Pittman LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Pillsbury Winthrop Shaw Pittman LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide