Cybersecurity across the Defense Industrial Base (DIB) remains one of the Department’s top priorities. These priorities are why the Cybersecurity Maturity Model Certification (CMMC) program was initiated. By incorporating cyber protections into acquisition programs, CMMC aims to provide assurance that contractors and subcontractors meet the Department’s cybersecurity requirements now and into the future.
The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) revised the Cybersecurity Maturity Model Certification (CMMC), now called CMMC 2.0, including insight from the Federal Registry Notice and analysis of CMMC 2.0.
The Federal Registry Notice explains: “In March 2021, the Department initiated an internal assessment of CMMC 1.0 implementation that was informed by more than 850 public comments in response to the interim DFARS rule. This comprehensive, programmatic assessment of CMMC engaged cybersecurity and acquisition leaders within DoD to refine policy and program implementation. This review resulted in ‘‘CMMC 2.0,’’ which updates the program structure and the requirements to streamline and improve implementation of the CMMC program.”
OUSD(A&S) announced information about CMMC 2.0 in early November. The Federal Registry Notice reflects “changes in the CMMC 2.0 framework that will be implemented through the rulemaking process.” The Department of Defense will pursue rulemaking in both: Title 32 of the Code of Federal Regulations (CFR) and title 48 CFR, to establish CMMC 2.0 program requirements and implement any needed changes to the CMMC program content in 48 CFR.
The Notice went on to explain that until the CMMC 2.0 changes become effective, the Department will suspend the CMMC Piloting efforts. DoD also will not approve inclusion of a CMMC requirement in DoD solicitations, and the requirements will not be mandatory until rulemaking is complete and have been implemented as needed into acquisition regulation.
Contracting officers are required to following the Interim Rule, Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041). This rule amends the DFARS on Safeguarding Covered Defense Information and Cyber Incident Reporting and implements the DoD Assessment Requirements. If an offeror is required to implement these requirements, the subpart directs contracting officers to verify that an offeror has a current assessment on their records for the Supplier Performance Risk System (SPRS). The contracting officer is also directed to include several requirements in solicitations and contracts, including:
This includes solicitations using FAR part 12 procedures for the acquisition of commercial items, except for solicitations solely for the acquisition of Commercial Off-The-Shelf (COTS) items.
Required fields marked with *
Please note that you should expect to receive a response from our team, regarding your inquiry, within 2 business days.