Listen to this post

The proposed rule to implement the Cybersecurity Maturity Model Certification (“CMMC”) program in the Defense Federal Acquisition Regulation Supplement (“DFARS”) was published in the Federal Register on August 15, 2024 and will have a 60-day comment period (through October 15, 2024).

The proposed rule mirrors the Title 32 Code of Federal Regulations (“CFR”) CMMC proposed rule we analyzed here and contains no real surprises, although it does provide important reminders and significantly expands the text of the DFARS provision that will be included in Department of Defense (“DoD”) contracts to spell out the various CMMC obligations for contractors and subcontractors (we saw an interim version of this clause published in 2020).

Below are the requirements for contractors in the new DFARS 252.204-7021 clause per the proposed rule:

  1. Have a current CMMC certificate or self-assessment at the requisite CMMC level, or higher;
  2. Maintain the required CMMC level for the duration of the contract for all applicable information systems;
  3. Only store, process, or transmit data in appropriate information systems;
  4. Notify the contracting officer within 72 hours of any lapses in information security or changes in the status of CMMC certificate or self-assessment levels;
  5. Complete and maintain on an annual basis, or when changes occur, an affirmation of continuous compliance with the security requirements;
  6. Ensure all subcontractors and suppliers complete and maintain on an annual basis, or when changes occur, an affirmation of continuous compliance with the security requirements.

The proposed clause also includes a new section on reporting (1) the unique identifiers issued by DoD for each information system included in SPRS; (2) the results of contractor self-assessments in SPRS; and (3) any changes to the list of unique identifiers.

Below is a refresher on the basics of the CMMC program as well as key reminders and updates for companies as they continue to prepare for implementation.

CMMC Program Basics

  • The CMMC program will be rolled out in phases over three years – The DFARS clause will become effective and the phased roll-out will begin when a final rule is issued (estimated to be in early to mid-2025).
  • Prime contractors will be responsible for compliance of subcontractors – DoD acknowledges prime contractors do not have access to the Supplier Performance Risk System (“SPRS”) database to confirm compliance by subcontractors, but primes are expected to “conduct verifications” for subcontractor compliance. The proposed rule also specifically states it does not exempt foreign suppliers from these requirements.
  • The CMMC requirements will apply to most DoD solicitations and contracts – The proposed rule will apply to acquisitions of commercial products or services (except for exclusively commercially available off-the-shelf (“COTS”) procurements) and to procurements at or below the simplified acquisition threshold, but not to purchases at or below the micro-purchase threshold.
  • CMMC Certification or SelfAssessment must be complete at contract award – DoD discusses the timing on this and specifies contracting officers will not be able to make an award, exercise an option, or extend performance of a contract unless CMMC requirements are met.

Key Updates & Reminders

  • Don’t forget about your systems with Federal Contract Information – CMMC requirements apply to all contractor systems that store, process, or transmit Controlled Unclassified Information (“CUI”) or Federal Contract Information (“FCI”) in performance of the contract. While CUI has been a focus for contractors, requirements for FCI will become more important as companies must provide attestations and confirm self-assessments for the 15 basic security controls for FCI.
  • DoD will provide unique identifiers for applicable information systems – When contractors report in SPRS, DoD will provide unique identifiers (“UIDs”) for each contractor system. The proposed rule requires DoD contractors and subcontractors to specifically identify those information systems with CUI and FCI to be used in performance of the contract. Thus, DoD contractors that haven’t already done so will need to inventory their systems and prepare to report on all systems that support DoD contracts.
  • A senior company official must provide an affirmation of continuous compliance with CMMC – As a prerequisite to contract award, DoD contractors and subcontractors must have provided in SPRS an affirmation of continuous compliance with security requirements for each applicable information system.
  • Contractors will be required to report changes in their systems within 72 hours – The proposed rule includes a new requirement for contractors to report any “lapses in information security” or changes in the status of CMMC levels during contract performance. This is an addition to the proposed DFARS clause that could use clarification where an expectation to report small tweaks or temporary changes could render this incredibly cumbersome and unworkable. We expect this to be a hot topic in comments.

In anticipation of CMMC taking effect in 2025, here are a few key actions Federal contractors should take right now:

  1. Determine the expected CMMC level(s) that are likely to apply to future contracts;
  2. Ensure all information systems supporting DoD contracts are accounted for in CMMC planning;
  3. Assess subcontractor ability to meet CMMC requirements; and
  4. Review and update internal policies and procedures, as necessary, to ensure compliance with new requirements.

Sheppard Mullin’s Governmental Cybersecurity and Data Protection team is closely following this proposed rule and related developments and will continue to provide updates as they become available.