Understanding the Proposed Cybersecurity Certification Rule by the DoD
The U.S. Department of Defense (DoD) has unveiled a significant proposal to amend the Defense Federal Acquisition Regulation Supplement (DFARS) with new cybersecurity requirements. Central to this proposal is the implementation of the Cybersecurity Maturity Model Certification (CMMC) 2.0 program. This initiative aims to create a consistent framework to bolster cybersecurity across the U.S. defense industrial base (DIB), as mandated by a section of the National Defense Authorization Act for Fiscal Year 2020.
Public Input on Proposed Rule
A notice in the Federal Register has invited stakeholders to submit their comments on this proposed rule by October 15, 2024. These insights will be crucial for refining and finalizing the regulations.
What is CMMC 2.0?
CMMC 2.0 is designed to assess how well defense contractors implement cybersecurity measures, focusing on protecting unclassified but sensitive information within the DoD supply chain. After suspending the initial CMMC 1.0 efforts in November 2021, the DoD published the proposed CMMC 2.0 rule on December 26, 2023, establishing a new set of requirements.
Phased Rollout Strategy
The DoD plans a phased rollout of CMMC 2.0 over three years. During this time, the inclusion of CMMC requirements in contract solicitations will be decided by the relevant program office or activity. Importantly, these certification requirements must be extended to subcontractors at every tier if they handle federal contract information (FCI) or controlled unclassified information (CUI).
Post-Phase-in Application
Following the phase-in period, CMMC will become mandatory for all DoD solicitations and contracts exceeding the micro-purchase threshold that involve handling FCI or CUI. This includes contracts for commercial products or services.
Certification Timing Decision
The DoD explored three options for when contractors need to achieve CMMC 2.0 certification: during proposal submission, at the contract award, or after the award. The decision was made to require certification at the time of the award.
Cost and Benefits of the Proposed Rule
Implementing this rule will incur costs for contractors who must undergo activities to achieve certification. However, the benefits are significant. With accredited third-party assessors verifying contractors' cybersecurity practices, there is greater assurance that sensitive information, such as CUI, is protected. This move is crucial for safeguarding intellectual property and sensitive data from cyber threats, which have profound implications for the U.S. economy and national security.
While precise benefits are difficult to quantify, reducing the risk of malicious cyber activities is anticipated to offer substantial advantages.
