DoD Proposes Cybersecurity Certification Rule

Lilu Anderson
Photo: Finoracle.net

Understanding the Proposed Cybersecurity Certification Rule by the DoD

The U.S. Department of Defense (DoD) has unveiled a significant proposal to amend the Defense Federal Acquisition Regulation Supplement (DFARS) with new cybersecurity requirements. Central to this proposal is the implementation of the Cybersecurity Maturity Model Certification (CMMC) 2.0 program. This initiative aims to create a consistent framework to bolster cybersecurity across the U.S. defense industrial base (DIB), as mandated by a section of the National Defense Authorization Act for Fiscal Year 2020.

Public Input on Proposed Rule

A notice in the Federal Register has invited stakeholders to submit their comments on this proposed rule by October 15, 2024. These insights will be crucial for refining and finalizing the regulations.

What is CMMC 2.0?

CMMC 2.0 is designed to assess how well defense contractors implement cybersecurity measures, focusing on protecting unclassified but sensitive information within the DoD supply chain. After suspending the initial CMMC 1.0 efforts in November 2021, the DoD published the proposed CMMC 2.0 rule on December 26, 2023, establishing a new set of requirements.

Phased Rollout Strategy

The DoD plans a phased rollout of CMMC 2.0 over three years. During this time, the inclusion of CMMC requirements in contract solicitations will be decided by the relevant program office or activity. Importantly, these certification requirements must be extended to subcontractors at every tier if they handle federal contract information (FCI) or controlled unclassified information (CUI).

Post-Phase-in Application

Following the phase-in period, CMMC will become mandatory for all DoD solicitations and contracts exceeding the micro-purchase threshold that involve handling FCI or CUI. This includes contracts for commercial products or services.

Certification Timing Decision

The DoD explored three options for when contractors need to achieve CMMC 2.0 certification: during proposal submission, at the contract award, or after the award. The decision was made to require certification at the time of the award.

Cost and Benefits of the Proposed Rule

Implementing this rule will incur costs for contractors who must undergo activities to achieve certification. However, the benefits are significant. With accredited third-party assessors verifying contractors' cybersecurity practices, there is greater assurance that sensitive information, such as CUI, is protected. This move is crucial for safeguarding intellectual property and sensitive data from cyber threats, which have profound implications for the U.S. economy and national security.

While precise benefits are difficult to quantify, reducing the risk of malicious cyber activities is anticipated to offer substantial advantages.

Share This Article
Lilu Anderson is a technology writer and analyst with over 12 years of experience in the tech industry. A graduate of Stanford University with a degree in Computer Science, Lilu specializes in emerging technologies, software development, and cybersecurity. Her work has been published in renowned tech publications such as Wired, TechCrunch, and Ars Technica. Lilu’s articles are known for their detailed research, clear articulation, and insightful analysis, making them valuable to readers seeking reliable and up-to-date information on technology trends. She actively stays abreast of the latest advancements and regularly participates in industry conferences and tech meetups. With a strong reputation for expertise, authoritativeness, and trustworthiness, Lilu Anderson continues to deliver high-quality content that helps readers understand and navigate the fast-paced world of technology.