DOD unveils proposed final rule for CMMC contracting

Gettyimages.com/putilich

A phased rollout of the cybersecurity standard should begin in early 2025, with varying compliance levels and increased program office discretion.

After months of anticipation, the Defense Department has released a proposed rule for how it will incorporate Cybersecurity Maturity Model Certification requirements into defense contracts.

The Thursday Federal Register notice confirms several things we have known since the CMMC proposed rule was released in December.

Most importantly, the CMMC rule will have a phased rollout once the rule becomes final and that is widely expected to happen in early 2025.

During the phase-in period, individual program offices will make the decision of whether CMMC will be a requirement. But by the end of the phase-in, all defense contracts will have a requirement for either of the three CMMC compliance levels.

Level 1 continues to be self-assessment for CMMC compliance. Levels 2 and 3 require increasing levels of third-party assessments.

The new proposed rule also seeks to clarify several definitions involving CMMC, including what will be considered Controlled Unclassified Information.

CUI is what CMMC is meant to protect. This is generally government data stored on industry information systems. Companies store this data in their systems as part of the work they do for federal agencies and while not technically classified, it is sought after by adversaries.

The proposed final rule will help keep the pressure on contractors to maintain compliance with CMMC throughout the life of a contract. There also are notification requirements if a contractor changes their systems.

The rule also will require CMMC compliance at the time of contract award. This should allow companies to bid on work with a CMMC requirement before they have reached the needed compliance level, but they have to be in compliance when the award is made.

The proposed rule also puts a lot of power and discretion into the hands of the program office. The plus to this is that it gives the Defense Department flexibility, but the potential downside is an inconsistent application of CMMC requirements and particularly in the early days.

The new notice is a Part 48 rule for the defense acquisition rules. It describes how the proposed CMMC rule, which is a Part 38 rule, will be added to contracts.

The Part 38 rule was released on Dec. 23, 2023. The comment period is closed and the rule will be sent to Congress, which will have the opportunity to reject it.

Congress do not need to approve it and chances are slim that  they will reject it.

But there is a deadline. The rule needs to go to Congress by mid-October so that it can become final before the end of December.

The congressional disapproval period cannot cross from one Congress to the next. Because this is an election year, we’ll have a new Congress in early January.

If the rule gets to Congress before the end of October, CMMC will become final by the end of December or very early in January.

But if the rule goes to Congress after October, CMMC will not become final until sometime in March.

Comments on the Part 48 rule are due by Oct. 15.