Pentagon release key CMMC contracting rules

The Defense Department today released a proposed rule that will inject Cybersecurity Maturity Model Certification, or CMMC, requirements into the contracting process.

The proposed amendment to the Defense Acquisition Regulations Supplement (DFARS) is scheduled to be published in the Federal Register Aug. 15. It would incorporate CMMC requirements into the Pentagon’s solicitations and contracts. CMMC aims to verify whether defense contractors are following cybersecurity standards for protecting sensitive but unclassified information.

The new acquisition rule complements another proposed rule the Pentagon published late last December, which outlines the overall contours of the CMMC program, according to Jacob Horne, cybersecurity evangelist at Summit 7, a firm that sells CMMC services to defense contractors.

“The other part of the equation is the rule that we got today, which is the rule that revises the actual language of the contract clause that will show up in contracts, solicitations, orders, things like that, that will specify the individual level of certification requirement that contractors will need to have to take award of their contract,” Horne said.

The proposed DFARS rule would create a provision in solicitations that notifies contractors of CMMC requirements.

“They’re dotting their i’s and crossing their t’s, reinforcing the requirements,” Horne said.

Under the CMMC program, DoD plans to require contractors to either self-assess that they comply with cybersecurity requirements or obtain a third-party certification, depending on the sensitivity of the data involved in the contract.

The proposed DFARS rule confirms that DoD will require organizations to submit their self-assessment or certification at the time of contract award.

DoD officials had considered requiring companies to submit their CMMC documents with their proposal submission. But as the DFARS rule notice explains, DoD determined that would bring “increased risk for offerors since they may not have sufficient time to achieve the required CMMC certification.”

DoD had also considered requiring certification after contract award. But the department determined that would bring “increased risk to DoD with respect to the schedule and uncertainty due to the possibility that the contractor may be unable to achieve the required CMMC level in a amount of time given their current cybersecurity posture.”

Eric Crusius, government contracting attorney and partner at law firm Holland and Knight, said contractors should aim to understand whether they may be required to meet CMMC requirements well before the solicitation.

“I do think that while it’s helpful to kind of see what’s in the solicitation, I don’t think contractors should wait that long, because if they do, it’s probably going to be too late,” Crusius said.

CMMC phased rollout

The rule also lays out a three-year-long “phased rollout” of the CMMC requirements. “The rollout is intended to minimize both the financial impacts to the industrial base, especially small entities, and disruption to the existing DoD supply chain,” the rule states.

Based on prior timelines for DoD rulemaking, Horne suggested that three-year DFARS rollout could begin by the summer of 2025.

“The thing for people to really pay attention to, though, is that the DoD program managers have a large amount of what they call discretion in their ability to include CMMC requirements in contracts during this phase-in period,” Horne said. “So it’s very important for people to communicate with their customers about what their individual plans are.”

By the end of the three-year rollout, DoD estimates 35% of contractors that handle sensitive data – about 10,340 entities — will need to obtain a “level two” CMMC third-party certification. Meanwhile, approximately 65% of applicable contracts will require a “level one” self-assessment, per DoD’s analysis.

Crusius said those numbers are largely in line with what the Pentagon has previously signaled. But he said many defense contractors will likely seek a third-party certification to ensure they can compete for a wide range of DoD business.

“Most contractors have some contracts that only have federal contract information, and they have some contracts that have controlled unclassified information,” Crusius said. “Of course, contractors that are selling commercial-off-the-shelf items only won’t be implicated in this rule or contractors that do fairly mundane tasks, such as mowing the lawn in front of a defense installation. But I do think we’ll see more contractors seeking a level two, third-party assessment than DoD anticipates.”

The comment period on the proposed DFARS rule is projected to close on Oct.14.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.