On August 15, the Department of Defense (DoD) released a proposed rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS), incorporating requirements related to the Cybersecurity Maturity Model Certification (CMMC) 2.0 program. This initiative introduces mandatory cybersecurity certifications, phased implementation, and compliance measures for contractors within the defense industrial base. The rule aims to enhance the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
The proposed rule focuses on key features such as amendments to DFARS 204.7502, which requires contractors to provide current CMMC certification results at the time of contract award. Additionally, DFARS 204.7503 mandates that contracting officers ensure that certification results are posted in the Supplier Performance Risk System (SPRS) before awarding contracts. New definitions related to CMMC and CUI have also been added to ensure clarity within the regulation.
A notable addition is the DFARS Provision 252.204-7YYY, which requires that solicitations notify offerors of the necessary CMMC level and ensure that their certification results are posted in SPRS prior to contract award. Contractors are responsible for uploading their self-assessments, while third-party assessment organizations will handle Level 2 and Level 3 certification results. Failure to provide required certifications will render offerors ineligible for contract awards.
The DoD is currently accepting public comments on this proposed rule until October 15, 2024. This feedback will inform the final rule, expected to be published in the first quarter of 2025, with a phased rollout of the CMMC 2.0 program potentially beginning in the summer of 2025. This initiative represents a significant step in bolstering cybersecurity measures across the DoD supply chain to safeguard sensitive information against cyber threats.
Reference:
