Suggestions

·

DoD publishes final rule that establishes contractor requirements

November 7, 2024

This story was originally published in the Government Contracting Pipeline newsletter from Strategic Partnerships, Inc. To have the latest government contracting news stories from across the country delivered straight to your inbox, click here to subscribe.

The Department of Defense (DoD) has published a final rule establishing the revised Cybersecurity Maturity Model Certification (CMMC) program into law, updating the original 2020 program. The CMMC program creates a unified system of requirements for contractors to manage unclassified information that need protection or dissemination controls.

The CMMC outlines a series of regulations and mechanisms to ensure all DoD contractors can adequately safeguard and store federal contract information (FCI) and controlled unclassified information (CUI) provided by the department. The DoD will use these guidelines to confirm when contractors and subcontractors achieve and maintain security measures commensurate with current and future cybersecurity threats.

The final rule aligns the program with cybersecurity requirements laid out by the Federal Acquisition Regulation (FAR) and National Institute of Standards and Technology (NIST). The DoD announced its intent to revise the CMMC program in November 2021 to achieve five primary goals:

  • Protect sensitive information to enable and protect DoD initiatives.
  • Enforce Defense Industrial Base (DIB) cybersecurity standards to meet evolving threats.
  • Ensure accountability while minimizing compliance barriers with DoD requirements.
  • Promote a collaborative cybersecurity and cyber resilience culture.
  • Maintain public trust through high professional and ethical standards.

One of the notable changes to the updated rule is the consolidation of the program’s original five levels of certification to three. The DoD’s simplification of the certification process makes it easier and clearer for small- and medium-size businesses to apply for and achieve specified certification levels.

The revised CMMC program has three primary features differentiating it from earlier versions:

  • The CMMC will require companies with access to FCI and CUI to develop cybersecurity standards based on a tiered model. These three tiers progressively advance in cybersecurity complexity and resilience based on the type and sensitivity of the DoD information. The program also outlines the process for requiring protections for data acquired by subcontractors.
  • The DoD will use CMMC assessments to determine if contractors and subcontractors are implementing clear cybersecurity standards.
  • The final rule will employ a phased implementation strategy. Certain DoD contractors handling FCI and CUI will only be able to win a contract if they achieve a specified CMMC level. The DoD will implement the CMMC requirements through a four-phase plan over a three-year period.

Businesses will be allowed to self-assess CMMC compliance when appropriate. CMMC Level 1 covers basic protections of FCI. Third-party assessments or self-assessments will be required for achieving CMMC Level 2 ranking for general protection of CUI. The highest level – CMMC Level 3 – will require a DIB Cybersecurity Assessment Center-led assessment to ensure contractors can provide a higher level of protection for advanced, persistent threats.

The updated CMMC rules will be effective Dec. 16, 2024. All contractors and subcontractors will be legally obligated to conform their cybersecurity standards and protocols to the revised program in order to qualify for contracts. The DoD will update the rule as needed to address evolving cybersecurity standards, requirements and threats.

Photo by Irvan Smith on Unsplash

Adam Rollins

Adam Rollins brings his expertise as a Researcher and Writer to the Managing Editor role for several of SPI's key publications, including Government Contracting Pipeline, Texas Government Insider, and the latest addition, Government Market News. With a rich background as a freelance Content Specialist, Adam has honed a passion for learning and information gathering, delving into various industries. His research and writing have spanned a range of topics, from artificial intelligence (AI) technology, conservation, and project outsourcing, to managed IT services and software development.

Holding a bachelor's degree in English from Texas State University, Adam's proficiency in message development is complemented by his robust research skills and seasoned writing experience. These attributes make him an invaluable asset to SPI, ensuring the delivery of insightful and impactful content to the company's clientele.

Don't Miss

Massive support, funding now available to improve supply-chain networks

New opportunities for multimodal freight, rail, and port projects are
A hospital hallway.

New hospitals greenlit for Amarillo, Wichita Falls

The Texas Health and Human Services Commission (HHSC) is searching