Pentagon a step closer to CMMC starting line with new contract rule proposal

The Pentagon cleared a major milestone Thursday on the path to instituting its cybersecurity standards program for contractors known as the Cybersecurity Maturity Model Certification 2.0.

The Department of Defense submitted a proposed rule that, once approved, would incorporate new cyber requirements into all contracts for vendors who want to do business with the U.S. military that involves sensitive but unclassified information.

Under the CMMC 2.0 program, any contractor or subcontractor that does work with the DOD involving what’s referred to as controlled unclassified information or federal contract information must obtain — or in some cases self-attest to — one of three levels of CMMC compliance, depending on the sensitivity of the information involved in the work.

Specifically, the new proposal, published in the Federal Register, aims to amend the Defense Federal Acquisition Regulation Supplement to implement those cybersecurity requirements in contracts as part of the larger CMMC 2.0 program — which itself is in the middle of the federal rulemaking process kickstarted with a separate rule proposal last December after a previous iteration of the CMMC program with more stringent requirements failed.

That previous proposed rule put forth in December 2023 would establish the CMMC program into federal law, laying out “requirements for a comprehensive and scalable assessment mechanism to ensure defense contractors and subcontractors have … implemented required security measures to expand application of existing security requirements for Federal Contract Information (FCI) and add new Controlled Unclassified Information (CUI) security requirements for certain priority programs.”

This latest proposed rule looks to complement that by spelling out how that program will be implemented in DOD contracts.

“These amendments require at the time of award the results of a current CMMC certificate or CMMC self-assessment, at the level required, for all information systems that process, store, or transmit FCI or CUI during contract performance, when a CMMC level is included in the solicitation,” the proposed rule reads.

It also includes a few other key clarifications for the administration of CMMC in defense contracts once these two rules are final. Notably, Thursday’s proposal spells out a phased rollout of requirements into contracts over the subsequent three years.

“In order to implement the phased rollout of CMMC, inclusion of a CMMC requirement in a solicitation during this time period will be determined by the program office or requiring activity after consulting the CMMC 2.0 requirements” laid out in the December 2023 proposed rule, the latest proposal says. “During the phase-in period, when there is a requirement in the contract for CMMC, CMMC certification requirements must be flowed down to subcontractors at all tiers, when the subcontractor will process, store, or transmit Federal contract information (FCI) or CUI, based on the sensitivity of the unclassified information flowed down to each of the subcontractors in accordance with the proposed CMMC 2.0 requirements.”

Once that period ends, CMMC will be in effect for all DOD contract solicitations.

More granularly, the newly proposed rule sets requirements for contracting officers to ensure bidding contractors are CMMC compliant, issues an updated definition for controlled unclassified information — the distinguishing element for contracts that require CMMC compliance — and introduces a provision to notify contractors when there are CMMC requirements in a contract, among other things.

Now, the clock starts on the comment period for the proposed rule, which will run through Oct. 15. At that point, the DOD will sort through any comments and make tweaks as necessary before submitting the rule for final approval to the Office of Information and Regulatory Affairs to be issued as a final rule.

Given the current timing, if things go smoothly during the next steps of the rulemaking process, the phased rollout of CMMC could begin sometime in mid-to-late 2025.