CMMC in Contracts: The 48 CFR Proposed Rule Has Published

Understanding the New CMMC 2.0 DFARS Requirements: Implementation, Time Frames, and Impact 

August 15th, 2024 | 3 min read 

Redspin Blog

Author: Tara Lemieux, CMMC Consultant and CCP/CCA/CMMC Instructor 

The long-awaited 48 Code of Federal Regulations (CFR) Proposed rule on integrating the Cybersecurity Maturity Model Certification (CMMC) into defense contracts has been officially released and is now open for public comment. The Department of Defense (DoD) has proposed amendments to the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate the requirements of the CMMC 2.0 program. These changes represent a significant evolution in how CMMC will show up in contracts across the defense industrial base (DIB).  

A Closer Look at the 48 CFR Proposed Rule 

Published on August 15, 2024, the proposed rule lays out detailed contract guidelines for the Defense Industrial Base (DIB) organizations concerning compliance with CMMC requirements. With the public comment period now open for 60 days, ending on October 15, 2024, the proposed rule garners significant attention. Stakeholders are invited to provide feedback on various aspects of the proposed rule, including clarity of language and potential oversights.  

Key Requirements of 48 CFR, the Proposed Update to DFARS 

The proposed rule requires contractors to achieve and maintain a CMMC certification level appropriate to the contract’s needs. The certification level is determined by the type of information processed, stored, or transmitted—whether Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The proposed rule mandates the following: 

1. Certification at Time of Award: Contractors must possess the appropriate CMMC certification level at the time of contract award. This certification must be maintained throughout the contract’s performance.

2. Flow-Down Requirements: The CMMC requirements must be flowed down to all subcontractors at every tier if they process, store, or transmit FCI or CUI. Prime contractors are responsible for ensuring that their subcontractors meet the appropriate CMMC levels.

3. Affirmation of Continuous Compliance: Contractors must annually affirm their continuous compliance with the required CMMC level for each information system used in contract performance. This affirmation must be updated whenever there are changes in the contractor’s compliance status.

4. Incorporation of Requirements into Contracts: The proposed rule will apply to all solicitations and contracts, including those for commercial products and services (excluding Commercially Available Off-the-Shelf items) valued above the micro-purchase threshold.

5. Contracting Officer Responsibilities: Contracting officers are prohibited from awarding, exercising options, or extending contracts unless the contractor meets the CMMC requirements.

Implementation Time Frames 

The DoD has outlined a phased rollout over three years to allow the DIB to adjust to these new requirements. Initially, the requirements will apply selectively, based on the program office’s discretion. These requirements will be universally applied to all relevant contracts by the fourth year. This phased approach is intended to minimize disruption, especially for small businesses. 

Relevant Legislation 

The proposed rule partially implements Section 1648 of the National Defense Authorization Act (NDAA) for Fiscal Year 2020, which directed the Secretary of Defense to enhance cybersecurity across the DIB. The CMMC framework is detailed in 32 CFR part 170, and this proposed DFARS rule integrates these requirements into the contracting process. 

Impact 

The proposed DFARS rule changes surrounding CMMC 2.0 represent a significant shift in how cybersecurity will be enforced within the DIB. The new requirements, particularly those concerning flow-down and the timing of certifications, will pressure subcontractors to meet stringent cybersecurity standards before the award of contracts. While the phased implementation allows some time for adjustment, the new landscape will demand greater diligence from all parties involved in defense contracting. Primes must ensure that their subs are fully compliant or risk losing out on critical contracts—a reality that will likely accelerate the timelines for certification across the board. 

Looking Forward 

 As the public comment period progresses, we expect to see a wealth of feedback that will likely influence the rule’s final version. It’s important to note that the proposed DFARS rule integrates requirements from 32 CFR part 170, further reinforcing the broader regulatory framework that governs cybersecurity within the Defense Industrial Base (DIB). This interconnected framework highlights how CMMC requirements are part of a larger effort to safeguard national security by enforcing stringent cybersecurity standards. 

Stay tuned for more updates as we continue to follow and dissect the implications of CMMC’s final rulemaking. In the meantime, should you have any questions or need assistance with CMMC, Redspin is here to help. Please join our upcoming CMMC Connect session, contact us at info@redspin.com or fill out the form below to chat.