By Scott M. McAuliffe, CPA, CISA, CFE, Risk Advisory Services Partner
August 2024 proposed contractual requirements related to CMMC
On August 15, 2024, the Department of Defense (DoD) published the proposed rule (under CFR 48) that details the process for incorporating CMMC requirements into federal contracts. This rule supplements the CMMC program 2.0 rules that were released in December 2023 (under CFR 32), which provided the comprehensive framework for the CMMC program. This is the final piece of the regulation that is necessary for the DoD to fully rollout the Cybersecurity Maturity Model Certification (CMMC) 2.0 program.
Highlights of the proposed rule
The key requirements of the CFR 48 proposed rule release that would impact defense contractors includes:
-
CMMC certification requirements upon award of a contract:
- Contractors must present a current Cybersecurity Maturity Model Certification (CMMC) certificate or self-assessment, as required by the solicitation, at the time of contract award. This applies to all information systems involved in processing, storing, or transmitting Federal contract information (FCI) or controlled unclassified information (CUI).
-
Supplier Performance Risk System (SPRS) verification procedures:
- Contracting officers are mandated to verify, before awarding contracts, exercising options, or when new DoD Unique Identifiers (UIDs) are issued, that:
- Current CMMC certification results or self-assessments at the solicitation-required level are posted in the Supplier Performance Risk System (SPRS) for applicable DoD UIDs.
- The contractor maintains continuous compliance with the security requirements in 32 CFR part 170, as affirmed in SPRS.
-
New definitions added:
- The term “CUI” will be defined based on 32 CFR 2002, with additional definitions for “current” (related to CMMC) and “DoD UID.”
-
New DFARS provision (252.204-7YYY):
- Notice of Requirements: This provision will inform offerors of the required CMMC level for the solicitation and necessitate that CMMC certification results or self-assessments be posted in SPRS before contract award.
-
Transmission of CMMC results:
- Level 1 & 2: Self-assessments must be posted by the offerors.
- Level 2 & 3: Certification results will be electronically transmitted to SPRS by designated third-party assessment organizations or DoD assessors.
-
DoD UIDs:
- Disclosure Requirement: Offerors must provide DoD UIDs for contractor information systems involved in processing FCI or CUI, as issued by SPRS.
-
Revised DFARS 252.204-7021 clauses:
- Definitions for Cybersecurity Maturity Model Certification, “current” (CMMC), and DoD UID are added.
- Contractors must maintain the required CMMC level throughout the contract term.
- Contractors must submit DoD UIDs and affirm continuous compliance with 32 CFR part 170 annually or upon security changes.
- Notify contracting officers of any changes in information systems and provide corresponding DoD UIDs.
- Ensure subcontractors meet the required CMMC level before awarding subcontracts.
-
Clause prescription changes:
- DFARS 204.7504: Prescribes the use of DFARS 252.204-7YYY in solicitations and contracts involving CMMC requirements, including those for commercial products and services (excluding commercial off-the-shelf (COTS) items).
-
Timing for CMMC certification:
- Certification at Award: The rule mandates that CMMC 2.0 certification be achieved by the time of award, balancing risks associated with proposal submission and post-award certification.
-
Conforming changes:
- Citations and Amendments: Updates include referencing CMMC 2.0 program requirements throughout DFARS, adding the new provision to the list of solicitation provisions for commercial products/services, and advising on the exercise of contract options with respect to CMMC compliance.
The proposed amendments seek to enhance cybersecurity measures by requiring contractors to achieve certain CMMC levels prior to contract awards, maintain compliance throughout the duration of the contract, and offer clearer guidelines on verification procedures and requirements.
Next Steps
Read the proposed rule in its entirety here: Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)
The Proposed Rule is open for comment until October 15, 2024. Stakeholders are encouraged to review and provide feedback on the proposed amendments to ensure effective implementation and compliance. The suggested new or amended DFARS clauses in this regulation will not be incorporated into DoD contracts until the DoD issues a final rule after the comment period has ended.
Keiter’s Cybersecurity team will continue to monitor the rollout of the CMMC program and update you on new information and changing requirements for DoD contractors.
Many DoD contractors will not have the expertise or resources needed to perform a CMMC readiness assessment, identify the gaps, and develop corrective action plans. In these cases, the contractors are turning to cybersecurity consultants with knowledge of NIST and the CMMC framework. If you want to learn more about CMMC, Keiter’s team of cybersecurity specialists can help you. Email | Call: 804.747.0000.
About the Author
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.