Pentagon releases key CMMC contracting principles

The Department of Defense today released draft regulations that will incorporate Cybersecurity Maturity Model Certification, or CMMC, requirements into the contracting process.

A proposed amendment to the Defense Acquisition Regulations Supplement (DFARS) is scheduled to be published in the Federal Register on Aug. 15. It would incorporate CMMC requirements into Pentagon bids and contracts. The CMMC is intended to verify that defense contractors are following cybersecurity standards to protect sensitive but unclassified information.

The new procurement rules complement another proposed rule, released by the Pentagon in late December last year, that outlines the broad outlines of the CMMC program, according to Jacob Horne, cybersecurity advocate at Summit 7, a company that sells CMMC services to defense contractors.

“The second part of the equation is the rule that we got today, which is a rule that revises the actual contract clause language that will appear in contracts, solicitations, purchase orders and the like, that will define the individual level of certification requirement that contractors will have to meet in order to receive a contract,” Horne said.

The proposed DFARS regulations would introduce a provision into procurement procedures informing contractors of the CMMC requirements.

“They dot the i’s and dash the t’s, and that reinforces the requirements,” Horne said.

Under the CMMC program, the Department of Defense plans to require contractors to self-assess cybersecurity compliance or obtain third-party certification, depending on the sensitivity of the data covered by the contract.

The proposed DFARS regulations confirm that DoD will require organizations to submit a self-assessment or certification at the time of contract award.

DoD officials considered requiring companies to submit CMMC documents with their bids. However, as the DFARS rulemaking notice explains, DoD determined that this would pose “an increased risk to bidders because they may not have sufficient time to obtain the required CMMC certification.”

DoD also considered requiring certification after contract award. However, the department determined that this would involve “increased risk to DoD with respect to schedule and uncertainty due to the possibility that the contractor will not be able to achieve the required CMMC level in a timely manner given its current cybersecurity posture.”

Eric Crusius, a public procurement attorney and partner at Holland and Knight, said contractors should determine whether they will be required to comply with CMMC requirements well before the contract is awarded.

“I think while it’s helpful to read the RFP, I don’t think contractors should wait that long because if they do, it’s probably too late,” Crusius said.

CMMC implementation in stages

The rule also mandates a three-year “phased implementation” of CMMC requirements. “Implementation is intended to minimize both the financial impact to the industrial base, especially small entities, and disruption to the existing DoD supply chain,” the rule states.

Based on previous DoD rulemaking timelines, Horne suggested the three-year DFARS implementation could begin in the summer of 2025.

“What people should be looking at is that DoD program managers have a lot of flexibility in terms of being able to incorporate CMMC requirements into contracts during this transition period,” Horne said. “So it’s really important for people to communicate with their customers about their individual plans.”

By the end of the three-year implementation period, DoD estimates that 35% of contractors that handle sensitive data — about 10,340 entities — will be required to obtain a third-party “Level 2” CMMC certification. Meanwhile, about 65% of existing contracts will require a “Level 1” self-assessment, according to the DoD analysis.

Crusius said the numbers are largely in line with what the Pentagon has previously signaled. But he said many defense contractors will likely seek third-party certification to ensure they can compete for a wide range of DoD business.

“Most contractors have contracts that contain only federal contract information, and some contracts contain controlled classified information,” Crusius said. “Of course, contractors that sell only commercial off-the-shelf products would not be covered by this rule, nor would contractors that do fairly mundane tasks like mowing the lawn in front of a defense installation. But I think we will see more contractors seeking a Level 2, third-party assessment than DoD anticipates.”

The expected comment deadline for the proposed DFARS rule is October 14.