The Department of Defense (DoD) published a proposed rule today to integrate Cybersecurity Maturity Model Certification (CMMC) requirements into the contracting process as the Pentagon moves forward with its cyber certification initiative.
The proposed amendment to the Defense Acquisition Regulations Supplement (DFARS), published in the Federal Register on Aug. 15, would integrate CMMC requirements into the Pentagon’s solicitations and contracts.
The proposed DFARS rule states that DoD will require organizations to submit their self-assessment or certification at the time of contract award. Initially, DoD officials considered requiring organizations to submit their CMMC documents with their proposals. However, this would pose “increased risk for offerors, as they may not have enough time to achieve the required CMMC certification,” according to the DFARS rule notice.
Officials also considered requiring organizations to submit their CMMC documents after the award, but the department determined that would increase risks for the DoD.
Additionally, the proposed rule outlines a three-year “phased rollout” of the CMMC requirements to minimize financial impacts on the industrial base, particularly for small entities, and to reduce disruption to the existing DoD supply chain.
CMMC efforts at the DoD have been ongoing since 2020 and are aimed at ensuring defense contractors comply with cybersecurity standards to protect sensitive but unclassified information.
In September 2020, the DoD issued an interim rule to DFARS, outlining the initial vision for CMMC 1.0, which included a tiered model, required assessments, and contract implementation. This rule took effect on Nov. 30, 2020, starting a five-year compliance phase. In March 2021, the DoD began an internal review using over 750 public comments to refine its policy, leading to the launch of “CMMC 2.0” with an updated structure by November 2021.
According to the DFARS rule notice, at the end of the proposed three-year rollout nearly 35 percent of contractors handling sensitive data – approximately 10,340 entities – will need a “level two” CMMC third-party certification, while around 65 percent of applicable contracts will require a “level one” self-assessment.
The Office of Information and Regulatory Affairs (OIRA) is currently reviewing the DoD’s final CMMC rule, which details the specifics of CMMC at the program level, submitted in December 2023. This final rule has been under OIRA’s review since late June.
The comment period for the DFARS rule will close on Oct.14.
