DoD Issues Proposed DFARS Rule to Implement CMMC 2.0

DoD Issues Proposed DFARS Rule to Implement CMMC 2.0

Overview


The US Department of Defense (DoD) took the next step in implementing the Cybersecurity Maturity Model Certification (CMMC) Program on August 15, 2024, when it issued a Proposed Rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS).

The Proposed DFARS Rule includes the solicitation and contract clauses that will apply CMMC to individual procurements and obligate contractors and subcontractors to store, process and transmit Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) only on information systems that have achieved the CMMC level required by the contract. The Proposed DFARS Rule also establishes processes for contracting officers to determine CMMC compliance prior to the award of a DoD contract and to assess CMMC compliance during contract administration.

In Depth


The most notable aspects of the Proposed DFARS Rule are its emphasis that (1) the CMMC level specified in a particular solicitation and contract “is required for all information systems, used in the performance of the contract, that will process, store, or transmit” FCI or CUI, as applicable; and (2) CMMC compliance is not merely a “point in time” inquiry but require continuous reaffirmation throughout the contract, including prior to the exercise of any options (id. at 66336-37 (proposed DFARS 204.7502(a)-(b), 204.7503(b)-(c))). The Proposed DFARS Rule also requires 72-hour notifications for “any lapses in information security or changes in the status of CMMC certification or CMMC self-assessment levels during the performance of the contract” (id. (proposed DFARS 204.7503(b)(4))). The proposed rule does not define “lapses in information security,” but the phrase appears substantially broader than the term “cyber incident,” which contractors must also report within 72 hours under DFARS 252.204-7012. Given the use of the term “lapse” in other provisions of the FAR and DFARS, this requirement could be interpreted to apply whenever a contractor’s measures for complying with an applicable CMMC control cease to function as intended, even if only temporarily.

In December 2023, DoD issued a proposed rule formally establishing the CMMC Program in Part 170 to Title 32 of the Code of Federal Regulations. The 2023 proposed CMMC rule, which we summarized here and has yet to be finalized, defined the security controls applicable to each of the three CMMC levels, established processes and procedures for assessing and certifying compliance with CMMC requirements, and defined roles and responsibilities for the Federal Government, contractors and various third parties for the assessment and certification process. For an in-depth discussion of the CMMC program at each level, please see our analyses of Level 1, Level 2 and Level 3.

The August 2024 Proposed DFARS Rule will apply CMMC to individual procurements, amending DFARS Subpart 204.75 and the clauses prescribed therein. The Proposed DFARS Rule prescribes a new clause at DFARS 252.204 – 7YYY, Notice of Cybersecurity Maturity Model Certification Level Requirements, that contracting officers will insert in solicitations to identify the CMMC level applicable to the contract that will result from the solicitation (89 Fed. Reg. at 66337-38 (proposed DFARS 204.7503(a), 204.7504(b) and 252.204–7YYY)). The Proposed DFARS Rule also revises the clause at DFARS 252.204-7021 to incorporate the requirements of CMMC into contracts that involve handling FCI or CUI, including contracts for commercial products and services, but excluding contracts solely for commercially available off-the-shelf items.

As noted above, the Proposed DFARS Rule emphasizes that the specified CMMC level “is required for all information systems, used in the performance of the contract, that will process, store, or transmit” FCI or CUI (id. at 66336-37 (proposed DFARS 204.7502(a), 204.7503(b)(1)(i))). Accordingly, the Proposed DFARS Rule seeks to verify CMMC compliance at the time of award of a CMMC-covered contract or order and to confirm compliance throughout the life of the contract or order.

  • Contracting officers may not award a contract or order to an offeror that does not have a “current” CMMC certificate or self-assessment, as applicable, in the Supplier Performance Risk System (SPRS) at the CMMC level specified in the solicitation (id. at 66377 (proposed DFARS 204.7503(b)(1))). For CMMC Level 1, a current self-assessment is one that is not older than one year, provided that there have been no changes in CMMC compliance since the date of the assessment (id. at 66376 (proposed DFARS 204.7501)). For CMMC Levels 2 and 3, a current certificate (or self-assessment, when applicable to Level 2) is one that is not older than three years, again provided that there have been no changes in CMMC compliance since the date of the certification or assessment (id.).
  • The Proposed DFARS Rule also requires a current “affirmation of continuous compliance” in SPRS with respect to each such information system prior to award (id. at 66337 (proposed DFARS 204.7503(b)(1)(ii))). This is a reference to the affirmations required by proposed 32 C.F.R. § 170.22, which was part of the December 2023 Proposed Rule. Affirmations are current if they are not older than one year and if there have been no changes in CMMC compliance since the affirmation (id. at 66376 (proposed DFARS 204.7501)).
  • The Proposed DFARS Rule also prohibits contracting officers from exercising options on contracts and orders without a current CMMC certificate or self-assessment, as applicable, and a current affirmation of continuous compliance (id. (proposed DFARS 204.7503(c)(1), DFARS 204.7502(b))). The contractor must have a current CMMC certificate or self-assessment and affirmation of continuous compliance for each information system that processes, stores or transmits FCI and CUI in performance of the contract (id. (proposed DFARS 204.7503(c)(1))).
  • The Proposed DFARS Rule requires 72-hour notification for “any lapses in information security or changes in the status of CMMC certification or CMMC self-assessment levels during the performance of the contract” (id. (proposed DFARS 204.7503(b)(4))). As noted above, the broad phrasing of “any lapses in information security” would require 72-hour notifications for any “lapse,” not merely a noncompliance issue or security incident.
  • The Proposed DFARS Rule arguably also requires that all self-assessments performed for the information systems used in a contract subject to CMMC be entered into SPRS. The proposed revision to DFARS 252.204-7021 requires contractors to enter into SPRS the results of self-assessments, without qualification, and could arguably require preparatory self-assessments or assessments that identified noncompliance issues that could have been identified and corrected without a self-assessment (id. (proposed DFARS 252.7021(c)(2))). Depending on how this language is clarified in the final rule, contractors may need to carefully consider how they structure the self-assessment process to minimize the need to disclose noncompliance issues that can be rectified without an assessment.

DoD considered requiring offerors to have the applicable CMMC certification or self-assessment at the time of proposal submission but determined that the requirement should instead apply at the time of award. The department expressed concern that imposing this requirement at the proposal stage might deprive offerors of sufficient time to complete the certification or assessment process for their first CMMC-covered contract.

The Proposed DFARS Rule contemplates that the “apparently successful offeror” in a procurement will provide DoD with the DoD unique identifier (DoD UID) assigned within SPRS for each information system that will process, store, or transmit FCI or CUI prior to the award of a contract or task order (id. (proposed DFARS 204.7503(b)(2))). If the contractor proposes to use additional information systems during contract performance, DoD must verify that the contractor has a current CMMC certificate or self-assessment and affirmation of continuous compliance for the DoD UIDs associated with those systems (id. (proposed DFARS 204.7503(d))).

The proposed revisions to the clause at DFARS 252.204-7021 also apply CMMC to subcontractors by requiring prime contractors to flow the clause down to subcontractors and suppliers that store, process, or transmit FCI or CUI (id. at 66338 (proposed DFARS 252.204-7021(d))). The clause requires prime contractors to ensure that any such subcontractors and suppliers have a current CMMC certificate or self-assessment, as applicable, and complete affirmations of continuous compliance for each subcontractor/supplier information system that handles FCI or CUI (id. (proposed DFARS 252.204-7021(b)(6) & (d)(2))). DoD indicated that is does not intend to provide any mechanism for prime contractors to verify the CMMC status of subcontractors. Instead, DOD suggests that prime contractors should independently validate the CMMC compliance of its subcontracts as with any other flow-down provision (id. at 66330).

The December 2023 Proposed CMMC Rule contemplated a “phased implementation” in which DoD would include CMMC requirements in solicitations in four phases over a three-year period, with the first phase commencing when DFARS 252.204-7021 is finalized. The August 2024 Proposed DFARS Rule similarly contemplates a three-year implementation and proposes the revisions to DFARS 252.204-7021 that will officially start the first phase. During this initial phase, DoD will include CMMC Level 1 or Level 2 Self-Assessment requirements as a condition of contract award and may include such requirements as a condition to exercising an option on an existing contract. During Phase 1, DoD may also include CMMC Level 2 Certification Assessment requirements as it deems necessary for applicable solicitations and contracts. In subsequent phases, DoD will include CMMC Level 2 Certification Assessment requirements as a condition of contract award for applicable contracts involving CUI and may include such requirements as a condition to exercising an option on an existing contract. DoD will also begin including CMMC Level 3 Certification Assessment requirements as it deems necessary for applicable solicitations and contracts.

Stay tuned for more updates as DoD finalizes the December 2023 Proposed CMMC Rule and the August 2024 Proposed DFARS Rule and CMMC implementation officially begins. In the meantime, if you have questions or needs, reach out to your McDermott contact or one of the authors.