The Department of Defense issues a proposed rule for the Cybersecurity Maturity Model Certification program impacting cybersecurity requirements for defense contractors.

On December 26, the Department of Defense (DoD) published a proposed rule for the Cybersecurity Maturity Model Certification (CMMC) program that places unified cybersecurity and information security requirements on DoD contractors and subcontractors. DoD is soliciting comments on the proposed rule until February 26, 2024. Among these changes in the new rule are:

• Reducing the number of companies that would require a third party assessment;
• Reducing the CMMC rating from five levels to three levels;
• Allow for annual self-assessments for certain levels; and
• Brings back Plans of Action and Milestone (POAM). 

The DoD proposes to implement the CMMC requirements over four phases, starting with the inclusion of CMMC Level 1 and Level 2 Self-Assessment requirements in all applicable DoD solicitations. This will begin on the effective date of the final rule and will be a condition of contract award. CMMC Level 3 is expected roughly six months to a year after implementation of the final rule. The full rollout, which will see CMMC program requirements included in all applicable solicitations and contracts, is expected to occur sometime in 2027.

This proposed rule applies to all DoD contractors and subcontractors who process, store, or transmit Federal Contractor Information (FCI) or Contractor Unclassified Information (CUI) on contractor-controlled information systems. The proposed rule clarifies that CMMC compliance applies to specific business sectors involved in the performance of the contract, not entire organizations. Therefore, as proposed, contractors can certify different sectors at different CMMC levels based on the information they handle for the scope of their contracts. The proposal also states that CMMC requirements apply to prime contractors and subcontractors throughout the supply chain, with prime contractors required to flow down CMMC certification obligations to subcontractors at all tiers, commensurate with the type and sensitivity of the information they handle.

AGC has long communicated the difficulty many contractors and their subcontractors have had implementing these cybersecurity requirements and the challenges of that the CMMC model brings. AGC of America has previously filed comments on CMMC as it was developed and will file comments on the new proposed rule.

For more information, contact [email protected] or (703) 837-5368.