by Beth Burgin Waller and Patrick J. Austin
The United States Department of Defense (DoD) took another big step on the path to instituting its highly anticipated Cybersecurity Maturity Model Certification 2.0 program (CMMC 2.0). Once finalized, CMMC 2.0 will establish and govern cybersecurity standards for defense contractors and subcontractors.
On August 15, 2024, DoD submitted a proposed rule that would implement CMMC 2.0 in the Defense Federal Acquisition Regulation Supplement (DFARS). The proposed DFARS rule effectively supplements DoD’s proposed rule published in December 2023 by providing guidance to contracting officers, setting forth a standard contract clause to be used in all contracts covered by the CMMC 2.0 program, DFARS 252.204-7021, and setting forth a standard solicitation provision that must be used solicitations for contracts covered by the CMMC 2.0 program, DFARS 252.204-7YYY (number to be added when the rule is finalized).
There is a 60-day comment period for the DFARS proposed rule, meaning individuals have until October 15, 2024, to provide public feedback on the proposal.
Contractual Requirements in DFARS Proposed Rule
If the proposed DFARS rule is finalized in its current form, contractors in the Defense Industrial Base (DIB) will need to be prepared to meet the following contractual requirements:
- Possess a current CMMC certificate, or self-assessment, at the requisite CMMC level (or higher) and be prepared to maintain the required CMMC level for the duration of the contract for all applicable information systems
- Post the results of a CMMC self-assessment in the Supplier Performance Risk System (SPRS)
- Only store, process, or transmit data in appropriate information systems
- Inventory and manage DoD-issued unique identifiers that will be assigned to information systems used in the performance of a specific contract or solicitation
- Notify the contracting officer within 72 hours of any lapses in information security or changes in the status of CMMC certificate or self-assessment levels (more on this new requirement below)
- Complete and maintain on an annual basis, or when changes occur, an affirmation of continuous compliance with the security requirements
- Ensure all subcontractors and suppliers complete and maintain on an annual basis, or when changes occur, an affirmation of continuous compliance with the security requirements
Why This is Important
If you are a defense contractor or subcontractor in the DIB, the release of the DFARS proposed rule is significant since it means the CMMC 2.0 program is that much closer to becoming a reality. DoD previously indicated it would only begin phasing in the cybersecurity requirements contained in the CMMC program after it amended both Title 32 of the Code of Federal Regulations (i.e., where the substantive security requirements of the CMMC 2.0 program reside) and Title 48 (i.e., where the DFARS resides). DoD has now issued proposed rules to amend both Title 32 and Title 48.
As a result, the only steps left in finalizing the CMMC 2.0 program is for DoD to judge any comments received and to formally publish final rules.
New Compliance Requirements
The DFARS proposed rule also contains significant new requirements that are likely to impact the ability of defense contractors to comply with the CMMC 2.0 program.
1. 72-Hour “Lapse” Reporting Obligation
The DFARS proposed rule, specifically DFARS 252.204-7021(b)(4), contains a notable new requirement for contractors to notify the individual contracting officers within 72 hours of “any lapses in information security.” This time-sensitive reporting obligation is likely to create compliance challenges for defense contractors. For example, the proposed rule does not specifically define what would be considered a “lapse in information security” and could be interpreted more broadly than “cyber incidents,” which is defined in the existing DFARS clause. Even more troubling, the proposed rule does not expressly limit reportable “lapses” to only those impacting covered information systems.
Another problematic aspect of this reporting obligation is that it effectively decentralizes the reporting regime, meaning defense contractors would need to notify each individual contracting officer of a reportable “lapse.” In contrast, under the existing DFARS clause, defense contractors are obligated to report “cyber incidents” via DoD’s central repository, the DIBNet.
2. Risk of Invalidating CMMC Certification
Another notable aspect of the proposed DFARS rule is introducing the concept of invalidation by modification. In effect, if a defense contractor makes modifications to its information system, there is the potential for those modifications to invalidate the contractor’s existing CMMC certification or self-assessment.
This risk appears in defining a “current” CMMC certification in the proposed rule as one “with no changes in CMMC compliance since the date of the assessment.” The DFARS proposed rule does not describe or detail what type of “changes” or modifications would trigger a potential issue with a contractor’s CMMC certification.
3. Continual Compliance
Under the DFARS proposed rule, defense contractors will be required to have – and maintain – the requisite CMMC level for the life of the contract. In addition, defense contractors would need to complete and maintain – on an annual basis, or when security changes occur – an affirmation of continuous compliance with the CMMC 2.0’s security requirements. This affirmation would need to be made by a senior official within the company.
This affirmation would attest that the self-assessment or certification remains current and that the information systems responsible for processing, storing, or transmitting Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) complies with the CMMC 2.0’s security requirements.
Looking Ahead
With the issuance of the DFARS proposed rule, it is clear DoD is intent on moving forward with and getting the CMMC 2.0 program finalized at some point in 2025. This means defense contractors need to be proactive in preparing to meet CMMC’s new cybersecurity standards. Here are some recommended action steps to consider taking:
- Identify the anticipated CMMC level(s) that are likely to apply to future defense contracts
- Ensure all information systems that support DoD contracts are inventoried and managed properly
- Assess the ability and capacity of your subcontractors to meet the requirements imposed under the CMMC 2.0 program
- Develop an IT security strategy to meet cybersecurity reporting obligations, particularly the amorphous 72-hour notice period for any “lapses in information security”
- Implement internal processes and procedures to comply with expected audits and attestation requirements.
Beth Burgin Waller is a Principal and Patrick J. Austin is Of Counsel at Woods Rogers Vandeventer Black PLC.
The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).