DoD Proposes New Rule to Bolster Cybersecurity in Defense Sector, Invites Public Comment on CMMC 2.0

The U.S. Department of Defense (DoD) has introduced a proposal to amend the Defense Federal Acquisition Regulation Supplement (DFARS) by incorporating the Cybersecurity Maturity Model Certification (CMMC) 2.0 program into contractual requirements.

This proposal is part of an ongoing effort to establish a more robust cybersecurity framework for the U.S. defense industrial base (DIB).

Published in the Federal Register, the proposal invites stakeholders to provide their input by October 15, 2024, before the final rule is established. The CMMC 2.0 framework is designed to assess how contractors implement cybersecurity measures, ensuring better protection of unclassified information within the DoD supply chain.

This move follows the suspension of the CMMC 1.0 pilot in 2021, which allowed time for the development of the enhanced CMMC 2.0 program. The phased rollout of CMMC 2.0 will be implemented over three years, with the new requirements gradually applying to all DoD contracts and solicitations, particularly those involving the processing, storage, or transmission of Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

Contractors and subcontractors must comply with the CMMC 2.0 requirements, which will be reflected in the DFARS clause "Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirements." This clause will be applicable to solicitations and contracts requiring specific CMMC levels, excluding those for commercially available off-the-shelf (COTS) items.

The DoD evaluated three alternatives for the timing of CMMC 2.0 certification and ultimately decided that certification must be obtained by the time of contract award. This decision aims to mitigate risks to both offerors and the DoD, ensuring that the necessary cybersecurity measures are in place without delaying contract execution.

By the fourth year of implementation, all relevant DoD solicitations and contracts will require compliance with CMMC 2.0, providing increased assurance that sensitive unclassified information is adequately protected across the defense supply chain. This proposal is part of a broader initiative to safeguard intellectual property and sensitive information from cyber threats, which pose significant risks to national security and the economy.