The Department of Defense (DoD) has proposed amendments to the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate Cybersecurity Maturity Model Certification (CMMC) 2.0 requirements into defense contracts. Published in August 2024, these changes highlight the DoD’s commitment to strengthening cybersecurity across its supply chain, reflecting broader efforts to protect sensitive information within the Defense Industrial Base (DIB).
Key Aspects of the Proposal
- Certification at Contract Award: Contractors must hold the appropriate CMMC certification level at the time of the contract award and maintain it throughout the contract’s duration.
- Flow-Down Requirements: The CMMC requirements must be extended to all subcontractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).
- Continuous Compliance: Contractors are required to annually affirm their compliance with the CMMC level applicable to the systems used in contract performance, with updates required if any changes occur.
- Phased Implementation: The proposed rules will be rolled out over three years, with selective implementation initially, becoming mandatory for all relevant contracts by the fourth year.
Public Comment Period
The public comment period for this proposed rule is open until October 15, 2024. Stakeholders are encouraged to provide feedback that could influence the final version of the rule.
Responding to CMMC Compliance Requirements
- Engage Leadership and Secure Buy-In: Ensure that your leadership is fully informed of the implications of these changes and the resources required for compliance. Leadership buy-in is essential for allocating the necessary resources and ensuring the successful implementation of these cybersecurity requirements.
- Budget Planning: Evaluate the potential financial impact of achieving and maintaining CMMC compliance. This includes budgeting for technology upgrades, third-party assessments, employee training and any potential legal or consulting fees.
- Assess Your Current CMMC Level: Ensure that your organization is fully aware of its current CMMC level and how it aligns with the new requirements. Confirm that your cybersecurity practices meet the necessary standards for processing, storing, or transmitting FCI and CUI.
- Conduct a Third-Party Gap Assessment: Perform a comprehensive gap assessment of your cybersecurity practices specific to your defined CMMC system boundaries and requirements. Identify and address any deficiencies.
- Mitigate and Remediate: Once gaps are identified, determine the best course of action to address them. Consider all options, including changing policies and standards, improving processes and engaging specialty firms for Security Operations Center (SOC) services.
- Implement Flow-Down Requirements and Enhance Third-Party Risk Management (TPRM): Clearly communicate expectations to your subcontractors to ensure they meet the required CMMC level. Review and update subcontractor agreements to include the necessary cybersecurity clauses, ensuring compliance before awarding subcontracts.
- Prepare for Continuous Compliance: Establish processes for annually assessing risk, reviewing controls and affirming your continuous compliance with CMMC standards. This includes regular audits and updates to reflect any changes in your cybersecurity practices.
- Plan for Phased Implementation: Understand the phased approach to implementation and develop a timeline to meet the requirements over the next three years. Prioritize contracts that will be immediately affected, ensuring all necessary certifications are in place.
- Monitor Regulatory Updates: Stay informed about any changes or updates to CMMC requirements. Continuous monitoring will help your organization quickly adapt to any new regulatory developments.
These requirements, or a version thereof, are coming. It’s important to be ready to ensure compliance with the DOD requirements, which underscore the DoD’s ongoing commitment to safeguarding the defense supply chain through robust cybersecurity measures.
By engaging in thoughtful planning, continuous monitoring, and effective communication, your organization can strengthen its overall cybersecurity posture now and ensure compliance in the future. Staying ahead of these changes will position your organization as a trusted and resilient partner in the defense industry.
Contact Us
If you have any questions regarding CMMC, Cherry Bekaert’s Information Assurance & Cybersecurity and Government Contracting advisors are available to discuss your situation with you.
Catch up on Cherry’s Bekaert’s Previous Insights on CMMC 2.0:
- On-Demand Webinar: Getting Ahead of CMMC Compliance: Latest Insights & How to Prepare
- Podcast: CMMC Program Proposed Rule Published in the Federal Register: Insights Into the Proposed Rule and When CMMC 2.0 Will Be Required
- Podcast: Final CMMC Rule Reaches Critical Milestone
- Podcast: How Will NIST Special Publication (SP) 800-171, Revision 3 Impact CMMC?
- Article: Updated Projected Timeline for CMMC: What this Means for Contractors and How to Prepare for Certification
- Podcast: Final CMMC Rule: March 2023 Update
- Podcast: CMMC 2.0 – Where Does It Stand?
- Podcast: What’s New with CMMC 2.0? August 2022 Update
- Podcast: CMMC 2.0 Brings Major Program Changes