- Federal contractors should closely follow the developments of this proposed rule, as compliance with the Cybersecurity Maturity Model Certification (CMMC) 2.0 program will be required for future contracts.
- The rule is progressing, with a comment period open until October 15, 2024, signaling that implementation is moving forward.
- A key element of the proposed rule is third-party auditing requirements for contractors, which ensure compliance with specific cybersecurity levels before contractors are awarded federal contracts.
The Defense Department has proposed a new rule requiring contractors working with the federal government to implement the Cybersecurity Maturity Model Certification (CMMC) 2.0 framework. This rule protects unclassified information within the Department of Defense (DoD) supply chain. Contractors must demonstrate compliance with specific cybersecurity levels before being awarded contracts, including meeting certification requirements through third-party assessments or self-assessments. These certifications must also be passed down to subcontractors who handle sensitive data.
During a three-year rollout phase, the CMMC requirements will be phased into contracts, with contractors expected to maintain their certification throughout the contract period. This ensures that all tiers of subcontractors comply with cybersecurity protocols. Contractors must submit proof of certification via the Supplier Performance Risk System (SPRS), which will verify their compliance with the required CMMC level. Failure to maintain certification may prevent contractors from being awarded federal contracts or continuing their work on existing projects.
The proposed rule includes several changes to the Defense Federal Acquisition Regulation Supplement (DFARS), such as defining controlled unclassified information (CUI) and requiring annual updates or security changes to affirm continuous compliance. Contractors should prepare for rigorous third-party audits, ensuring they meet the cybersecurity standards to secure sensitive data. With the comment period open until mid-October 2024, contractors are encouraged to provide feedback and stay updated on the rule’s progress.
Leave a Reply
You must be logged in to post a comment.