by Beth Burgin Waller and Patrick J. Austin
The United States Department of Defense (DoD) took another big step on the path to instituting its highly anticipated Cybersecurity Maturity Model Certification 2.0 program (CMMC 2.0). Once finalized, CMMC 2.0 will establish and govern cybersecurity standards for defense contractors and subcontractors.
On August 15, 2024, DoD submitted a proposed rule that would implement CMMC 2.0 in the Defense Federal Acquisition Regulation Supplement (DFARS). The proposed DFARS rule effectively supplements DoD’s proposed rule published in December 2023 by providing guidance to contracting officers, setting forth a standard contract clause to be used in all contracts covered by the CMMC 2.0 program, DFARS 252.204-7021, and setting forth a standard solicitation provision that must be used solicitations for contracts covered by the CMMC 2.0 program, DFARS 252.204-7YYY (number to be added when the rule is finalized).
There is a 60-day comment period for the DFARS proposed rule, meaning individuals have until October 15, 2024, to provide public feedback on the proposal.