On August 14, 2024, the Department of Defense (DoD) issued a proposed rule to implement its Cybersecurity Maturity Model Certification (CMMC) 2.0 program. The proposed rule is intended to enhance protection of the U.S. economy and national security by creating a uniform framework for ensuring that defense contractors adequately protect controlled unclassified information (CUI), federal contract information (FCI), intellectual property, and other sensitive information that moves through the DoD supply chain from malicious cyber activity. The proposed rule envisions accomplishing this by imposing requirements for contractor information systems that process, store, or transmit CUI or FCI during contract performance. 

Quick Takeaways 

The key takeaways from the proposed rule are: (1) adding definitions for "CUI," "current," and "DoD unique identifier" (DoD UID) and (2) establishing and revising related Defense Federal Acquisition Regulation Supplement (DFARS) solicitation and clause language.

New Definitions

The proposed rule adds the following definitions:

• CUI: Information the government creates or possesses, or an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls
• Current:  
  • Not older than one year for Level 1 self-assessments, with no changes in CMMC compliance since the date of the assessment 
  • Not older than three years for Level 2 certificates and self-assessments, with no changes in CMMC compliance since the date of the assessment
  • Not older than three years for Level 3 certificates, with no changes in CMMC compliance since the date of the assessment
  • Not older than one year for affirmations of continuous compliance with the security requirements identified at 32 CFR part 170, with no changes in CMMC compliance since the date of the affirmation
• DoD UID: An alpha-numeric string of 10 characters assigned within the Supplier Performance Risk System (SPRS) to each contractor information system that processes, stores, or transmits FCI or CUI 

While many will be pleased to see a definition of CUI finally provided, the proposed definition could potentially put a significant burden on defense contractors to continuously track the ever-changing laws, regulations, and government policies regarding cybersecurity to ensure that they have accurately and completely captured all CUI. Hopefully, further clarification of the definition will occur during the rulemaking process. 

Revised DFARS Language 

The rule proposes amending the following DFARS provisions:

• DFARS 204.7502: Requires at time of contract award a current CMMC certificate or CMMC self-assessment, at the level required, for all information systems that process, store, or transmit FCI or CUI during contract performance, when a CMMC level is included in the solicitation
• DFARS 204.7503: Requires contracting officers to verify in SPRS prior to awarding a contract or exercising an option that the contractor has a current CMMC certificate or CMMC self-assessment at the level required by the solicitation, or higher, and a current affirmation of continuous compliance 
  • Also requires CMMC certification requirements flow down to subcontractors at all tiers when the subcontractor will process, store, or transmit FCI or CUI
• DFARS 252.204-7021: 
  • Maintain the relevant CMMC level for the life of the contract 
  • Affirm on an annual basis or when security changes occur compliance with the security requirements identified in 32 CFR Part 170
  • Notify the contracting officer of any changes to relevant information systems that process, store, or transmit FCI or CUI
  • Require contractors to ensure subcontractors have the required CMMC level prior to awarding subcontracts
  • Require contractors to notify the contracting officer within 72 hours of any lapses in information security or changes in CMMC certification levels during contract performance 

This last requirement in DFARS 252.204-7021 has the greatest likelihood of causing contractors concern, given the lack of clarity regarding what constitutes a "lapse in information security" combined with the rapid reporting period. As with the definition of CUI, hopefully the rulemaking process will lead to further clarification on this new reporting requirement. 

New DFARS Provision

The rule proposes a new solicitation provision:

• DFARS 252.204-7YYY, Notice of Cybersecurity Maturity Model Certification Level Requirements: As its name suggests, will inform offerors of the CMMC level required by the solicitation and the SPRS posting requirements prior to award

Timing and Scope of CMMC 2.0 Implementation

It's important to note that the proposed rule envisions a three-year phased roll-out. During this time, it will be up to the respective program office or requiring activity to determine whether incorporation of CMMC clauses and requirements in its solicitations and contracts are required. Once the phase-in period is complete, however, the CMMC will apply to all DoD solicitation and contracts, including commercial item product and services contracts valued over the micro-purchase threshold. Commercial-Off-The-Shelf (COTS) items solicitations and contracts are and will continue to be excepted.  

Comments are due by October 15, 2024. 

If you have any questions regarding the proposed rule or how it might impact your federal business, please contact one of the attorneys listed below:

Ashley Powers, apowers@milchev.com, 202-626-5564

Jason N. Workmaster, jworkmaster@milchev.com, 202-626-5893

Alex L. Sarria, asarria@milchev.com, 202-626-5822

The information contained in this communication is not intended as legal advice or as an opinion on specific facts. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. For more information, please contact one of the senders or your existing Miller & Chevalier lawyer contact. The invitation to contact the firm and its lawyers is not to be construed as a solicitation for legal work. Any new lawyer-client relationship will be confirmed in writing.

This, and related communications, are protected by copyright laws and treaties. You may make a single copy for personal use. You may make copies for others, but not for commercial purposes. If you give a copy to anyone else, it must be in its original, unmodified form, and must include all attributions of authorship, copyright notices, and republication notices. Except as described above, it is unlawful to copy, republish, redistribute, and/or alter this presentation without prior written consent of the copyright holder.