Photo credit Source : natlawreview.com
DoD Proposes Rule for CMMC 2.0 Program Implementation: What You Need to Know
The U.S. Department of Defense (DoD) is gearing up to implement its Cybersecurity Maturity Model Certification (CMMC) 2.0 program, with a proposed rule recently published outlining the contractual framework for the initiative. The CMMC program, first announced in 2019, aims to enhance cybersecurity measures for defense contractors and subcontractors handling sensitive information shared with the DoD.
The proposed rule, currently open for public comment until October 15, 2024, provides guidelines for DoD contracting officers on incorporating CMMC 2.0 requirements into solicitations and contract awards. The program builds upon existing cybersecurity compliance obligations under the Defense Federal Acquisition Regulation Supplement (DFARS) and introduces more formalized assessment and oversight processes, including certification by independent third parties.
The CMMC 2.0 program features a tiered model that requires companies to implement cybersecurity standards at progressively advanced levels based on the sensitivity of the information they handle. It also mandates assessments to verify compliance with cybersecurity standards and will be implemented through contracts, with certain DoD contractors required to achieve specific CMMC levels as a condition of award.
The proposed rule outlines a three-year phased rollout of the program, with full implementation expected in all covered DoD procurements by Year 4. Contractors will be required to report any lapses in information security or changes in their CMMC certification status within 72 hours during contract performance, adding to their compliance and reporting burdens.
Once finalized, the CMMC requirements will apply to nearly all recipients of DoD funding, regardless of their position in the supply chain. Contractors and subcontractors are advised to start preparing for CMMC compliance now by ensuring their cybersecurity systems align with the NIST SP 800-171 security controls and planning for security assessment and certification activities.
As the DoD moves closer to formalizing the CMMC program, organizations within the DoD supply chain should stay informed about the evolving requirements and take proactive steps to ensure they are prepared to meet the cybersecurity standards set forth by the agency.
