WASHINGTON — The Pentagon has submitted a new proposed rule delineating how it will enforce cybersecurity standards for Controlled Unclassified Information (CUI) under the anticipated Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0).
Published to the Federal Register, the rule amends the Defense Federal Acquisition Regulation Supplement to ensure that CMMC 2.0 requirements are applied to all vendor contracts involving the Department of Defense (DoD) that handle CUI. This follows a similar December rule and introduces new stipulations for contracting officers, mandating they confirm bidding parties’ CMMC compliance and notifying them when CMMC requirements are part of a contract.
The CMMC 2.0 framework, aiming to enhance cybersecurity within the defense industrial base, operates on three tiers based on the amount of CUI involved. Level 1 companies can self-assess, some Level 2 companies may self-assess while others require third-party certification, and all Level 3 companies must be certified by Third-Party Assessment Organizations (C3PAOs). The proposed rule requires contract awardees to submit the results of a current CMMC certificate or self-assessment at the required level for all information systems processing, storing, or transmitting Federal Contract Information (FCI) or CUI.
The rule also stipulates that subcontractors, if handling sensitive information, adhere to the same standards as primary contractors. Initially, the rollout is limited to specific contracts as directed by the CMMC Program Office for the initial three-year period. Subsequently, DoD component program offices must include CMMC requirements in solicitations and contracts involving FCI or CUI.
The comment period for this proposed rule will conclude on October 15. Subject to timely approval from the Office of Information and Regulatory Affairs, the phased implementation of CMMC 2.0 could commence at the start of next year, aligning with the timeline previously outlined by David McKeown, Deputy Chief Information Officer for Cybersecurity and Senior Information Security Officer at the DoD, as noted in earlier reports.
To read more about this development, visit Breaking Defense.