DoD issued a proposed rule dated August 15, 2024 (DFARS Case 2019-D041) to amend DFARS to incorporate contractual requirements related to the Cybersecurity Maturity Module Certification (CMMC) Program. This implements a section of the National Defense Authorization Act for FY 2020 to enhance cybersecurity for the US defense industrial base. DoD is estimating that the final rule will be issued during Quarter 1 2025. Contractors should take heed and provide comments by the October 15, 2024, due date.
The proposed rule includes the following changes to the DFARS 252.204-7021, Contractor Compliance with Cybersecurity Maturity Model Certification Level Requirements clause:
- Adds definitions at paragraph (a) for current Cybersecurity Maturity Model Certification and DoD Unique Identifier (UID).
- Adds requirements for contractors to:
- Maintain CMMC level for the life of the contract.
- Submit the DoD UID(s) in Supplier Performance Rating System (SPRS) for contractor information systems that will process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) during performance of the contract.
- Complete an annual affirmation of continuous compliance with the security requirements.
- Notify the contracting officer of changes in the information systems during contract performance.
- Ensure subcontractors have appropriate CMMC level prior to award.
- Include the requirements of the clause in subcontracts when there is a requirement for CMMC in the contract.
As you can see, the proposed rule is creating many more requirements, necessary reporting, and certifications for contractors. Let’s discuss some of the requirements.
New DFARS Solicitation Provision
On a positive note, a new DFARS provision 252.204-7YYY, Notice of Cybersecurity Maturity Model Certification Level Requirements will be added, and Contracting Officer’s must identify the applicable CMMC level in the solicitation. This will take the guess work out of the contractor trying to figure out the applicable level.
New Definitions Added in DFARS 204.7501
The proposed rule defined “current” for each assessment/certification.
- Level 1 is a self-assessment and must be not more than one year old.
- Level 2 can be a self-assessment or certified third-party certification and not more than three years old.
- Level 3 is a DoD assessor prepared certification and not more than three years old.
- DoD unique identifier (UID) was defined as an alpha-numeric string of ten characters assigned in the SPRS system to each contractor assessment.
Contractors are required to upload the self-assessment to the SPRS while the third-party organizations/DoD assessors that certify CMMC 2 or 3, respectively, electronically transmit the certification to SPRS on the contractor’s behalf.
Do I Only Need One Assessment/Certification?
It depends. Contractors need to prepare a CMMC self-assessment/certification for each applicable information system that will process, store, or transmit FCI or CUI during the performance of the contract. This means contractors will need to assess their IT structure and determine which and how many information systems are impacted and require a CMMC self-assessment/certification. When a contractor submits a proposal, they will identify the DoD UID’s for each information system that will process, store, or transmit FCI or CUI used in the performance of the contract. So, yes you may and likely will have multiple assessments depending on your systems and the requirements of the individual contracts.
You Will Need to Submit an Annual Affirmation Too
Yes, another certification. An annual affirmation of continuous compliance with the security requirements must be completed, signed by a senior company official and uploaded in SPRS in addition to the CMMC self-assessment/certification. While contractors can submit a proposal in response to a solicitation with a CMMC requirement, the Contracting Officer must ensure both the CMMC self-assessment/certification, and the annual affirmation are completed before award of a contract. (Note: there was a link to 32 CFR 170.4 for the definition of senior company official but the cite is not available.)
More Reporting Requirements
Yes, another reporting requirement. Contractors would be required to report to the Contracting Officer within 72 hours:
- A “lapse” in information security.
- Changes in the status of CMMC self-assessment or certification during the contract period of performance.
The proposed rule does not define “lapse” and it is different than a cyber incident. When there is a lapse, change or update to the CMMC self-assessment/certification, the Contracting Officer must be notified within 72 hours. This is in addition to the current DFARS 252.204-7012 requirement to rapidly report cyber incidents in 72 hours.
What About Subcontracts?
We can’t forget subcontractors. Prime contractors/higher tier subcontractors must flow down CMMC requirements in subcontracts when applicable and ensure the subcontractor has a current CMMC self-assessment/certificate appropriate for the subcontract. While prime contractors do not have access to a subcontractor’s information in SPRS, contractors would be expected to work with their suppliers to conduct verifications as they would under any other clause requirement that applies to subcontractors.
What About Joint Ventures?
Yes, not so fast. The comments to the proposed rule indicate each entity in a joint venture that has a requirement for CMMC would be required to comply with the same requirements related to any information systems that process, store, or transmit FCI or CUI during contract performance.
Takeaways
The proposed rule is pretty in-depth, and we covered some of the major areas. We strongly encourage contractors to review the proposed rule and submit comments by October 15, 2024.
Contractors should also begin the process of determining what CMMC level of certification will be required for their information systems sooner rather than later. Outside assistance of a subject matter expert may be necessary, especially for companies that don’t have an Information Technology department and the senior official of the company will be signing the certification. It is not going to be as easy as completing a checklist. If the certification is not complete, Contracting Officers will not be able to award the contract. This could result in delays or a contractor not receiving an award.
Contractors also need to evaluate what updates will be needed to existing policies and procedures to address:
- Annual affirmation and
- Reporting lapses or changes to a self-assessment/certification to the Contracting Officer in anticipation of the final rule.
Remember, it is anticipated to be finalized by first quarter 2025.
Redstone GCI can provide our clients with more information and guidance in working with established industry-leading partners who can assist in fulfilling numerous cybersecurity compliance requirements, including but not limited to penetration testing, incident response, security assessments, and POA&M revolving around the information technology infrastructure. Redstone GCI, along with our trusted partners, can bring you a full solution by ensuring cyber security policy and flow-down requirements revolving around all aspects are accomplished, including but not limited to purchasing policy requirements. We would be happy to be part of your team.