Component 23 – 2
Search Newsline
 

On Aug. 15, the U.S. Department of Defense issued a proposed rule, Assessing Contractor Implementation of Cybersecurity Requirements, which seeks to implement contractual requirements for DOD contracts related to the recently proposed Cybersecurity Maturity Model Certification 2.0 Program. 

While ABC recognizes and supports the DOD’s need to protect national security through cybersecurity efforts, as currently proposed the rule raises serious concerns regarding a lack of clear definitions and flexibility for federal contractors on DOD projects. 

ABC members can take action now by submitting pre-generated comments to DOD through ABC’s Action Center or the ABC Action app, calling on DOD to clarify and streamline CMMC 2.0 regulations. Comments on the proposed rule are due Oct. 15.

Previously, on Dec. 26, 2023, the DOD released a proposed rule and guidance documents to establish CMMC 2.0. As proposed, CMMC 2.0 would require federal contractors and subcontractors competing for DOD contracts to demonstrate continued compliance with a range of cybersecurity measures to maintain eligibility for performing and winning new federal awards. ABC joined coalition comments on that rule, submitted on Feb. 26, 2024, calling for more clarity and urging a flexible implementation of CMMC requirements. This rule has yet to be finalized.

The Aug. 15 proposed rule largely defers to CMMC 2.0 as previously proposed, with a focus on providing guidance to contracting officers as well as standard contracting clauses and solicitation provisions to incorporate CMMC 2.0.

However, the proposed rule includes new provisions of note, including:

  • A requirement in the contract clause for contractors to notify contracting officers within 72 hours of “any lapses in information security”
  • A statement that a CMMC 2.0 certification is only current if there have been “no changes in CMMC compliance since the date of the assessment”
  • A requirement for contractors on DOD contracts to use only information systems that have an appropriate CMMC 2.0 certification, regardless of whether the data on these systems is covered by CMMC 2.0

For more information on the proposed rule and cybersecurity requirements impacting federal contractors, see Wiley Rein’s legal analysis of the proposal and ABC’s Cybersecurity Resource Guide.

Archives