Strengthening Cybersecurity Compliance: What You Need to Know About the Proposed DFARS Changes

Written By Chris Wolski

48 CFR will be published tomorrow (15 August 2024) in the Federal Register (https://www.federalregister.gov/public-inspection/2024-18110/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of). At that point a 60-day public comment period will begin.

In an era of increasingly sophisticated cybersecurity threats, the U.S. Department of Defense (DoD) is taking significant steps to ensure that its supply chain is resilient and secure. One of the latest developments in this area is the proposed changes to the Defense Federal Acquisition Regulation Supplement (DFARS), which introduces key updates centered around the Cybersecurity Maturity Model Certification (CMMC) 2.0. These changes are poised to impact contractors across the board, from large defense contractors to small and medium enterprises.

What Are the Key Changes?

The proposed amendments to DFARS are designed to integrate the CMMC 2.0 program more comprehensively into the defense contracting process. Here’s a breakdown of what these changes entail:

  1. Incorporating CMMC 2.0 into DFARS: The updated DFARS language now explicitly references the CMMC 2.0 program requirements, which are detailed in 32 CFR part 170. This integration underscores the DoD’s commitment to enforcing stringent cybersecurity standards across its supply chain.

  2. Clarifying Definitions: New definitions for Controlled Unclassified Information (CUI) and DoD Unique Identifier (DoD UID) have been added to enhance clarity and compliance. These definitions are critical for ensuring that all parties understand the scope of information that needs protection.

  3. New Procedures and Clauses: The proposed changes introduce a new solicitation provision that requires contractors to meet specific CMMC levels. The existing DFARS clause (252.204-7021) has been revised to ensure that contractors maintain the required CMMC certification throughout the contract’s duration. Importantly, these requirements must also be passed down to all subcontractors, ensuring cybersecurity compliance at every level of the supply chain.

  4. Phased Implementation of CMMC 2.0: The DoD plans a phased rollout of CMMC 2.0 over the next three years. During this period, the inclusion of CMMC requirements in solicitations and contracts will be determined on a case-by-case basis, with the exception of contracts solely for commercially available off-the-shelf (COTS) items.

  5. Certification Requirements: Contractors must have a valid CMMC certification or self-assessment at the required level before being awarded a contract. This certification must be maintained and updated annually, and the requirements must flow down to all subcontractors handling Federal Contract Information (FCI) or CUI.

  6. Responsibilities of Contracting Officers: Before awarding a contract, exercising an option, or extending the performance period, contracting officers must verify that contractors meet the necessary CMMC certification requirements through the Supplier Performance Risk System (SPRS).

  7. Continuous Compliance: Contractors must continuously affirm their compliance with CMMC security requirements. They must also notify contracting officers of any changes to their information systems that could affect compliance, ensuring that any potential security gaps are addressed promptly.

  8. Considerations in Certification Timing: The DoD carefully considered when to require CMMC certification during the procurement process and ultimately decided that certification should be required at the time of contract award. This approach balances the need to reduce risk for both the DoD and contractors while ensuring that cybersecurity standards are met from the outset.

  9. Conforming Changes: To ensure consistency across the board, the proposed rule includes conforming changes to other DFARS sections, aligning them with the new CMMC 2.0 requirements.

What Does This Mean for Contractors?

The proposed DFARS changes represent a significant shift in how cybersecurity compliance is enforced within the defense supply chain. Contractors must be proactive in obtaining and maintaining the required CMMC certifications, which will be critical for securing and retaining DoD contracts. Additionally, subcontractors must adhere to these standards, meaning cybersecurity compliance will become a baseline expectation at all supply chain tiers.

For those already engaged in DoD contracts or looking to enter this space, understanding these proposed changes and preparing for CMMC 2.0 compliance is essential. The phased implementation offers some time to adjust, but the emphasis on continuous compliance means that contractors should begin aligning their cybersecurity practices with CMMC 2.0 requirements sooner rather than later.

Final Thoughts

As the DoD continues to strengthen its cybersecurity posture, these proposed DFARS changes clearly signal that compliance is not optional but necessary. By embedding CMMC 2.0 deeper into the procurement process, the DoD aims to ensure that its supply chain is robust and resilient against the evolving cybersecurity threats that face the nation today.

If you’re a contractor or subcontractor working with the DoD, now is the time to assess your cybersecurity practices and ensure that you’re on track to meet the new requirements. The future of defense contracting will hinge on your ability to protect sensitive information, and the proposed DFARS changes are a step toward ensuring that security is at the forefront of every contract.

Feel free to share your thoughts on these proposed changes or reach out if you have any questions about how to navigate this evolving landscape.

Chris Wolski
Previous

Strengthening Maritime Cybersecurity
Next

Protecting the Outer Continental Shelf: Cybersecurity Initiatives and Strategies