Important notice for DoD contractors and subcontractors
Attention all DoD contractors, subcontractors, and suppliers!
Last week, DoD issued its proposal to amend the Defense Federal Acquisition Supplement (DFARS) to incorporate solicitation and contractual requirements to implement CMMC 2.0, once finalized. As part of the notice and comment process, DoD seeks comments by October 15, 2024. Speak Now!
What’s in the new proposed rule?
Under the proposed rule, DoD plans to revise the existing DFARS language to: add references to the eventual CMMC 2.0 regulation; add definitions for Controlled Unclassified information (“CUI”) and DoD Unique Identification (“DoD UID”); establish solicitation provisions for contracting officers to incorporate in contracts; and revise the existing DFARS clause language and description. Additionally, the proposed rule requires increased subcontractor/vendor screening and evidence of compliance.
Why should you care?
The proposed rule will impact DoD contractors and subcontractors at all tiers, because the 3-year CMMC phase-in may start as early as summer of 2025!
During the 3-year phase-in period, DFARS 252.204-7021 will be included in all solicitations, including those for the commercial items and services (except COTS) where there is a requirement for CMMC security protections. DoD Contractors will be ineligible for award of a new contract and ineligible for the exercise of an option under an existing contract without meeting the requirements.
If the clause is included, contractors have to flow down the requirement to subcontractors and vendors at all tiers according to the level of information they will receive.
This means that contractors should start now to ensure their preparedness, modify their internal compliance programs, include vendor screening for CMMC certifications, and change their processes and procedures to accommodate the new CMMC requirements. Some of the requirements for Contractors will include:
- obtaining and maintaining the requisite CMMC level for the life of the contract;
- submitting the DoD UIDs issued by SPRS for applicable contractor information systems to the Contracting Officer (CO);
- requiring a senior company official to affirm of continuous compliance with the CMMC level security requirements to be implemented at 32 CFR part 170; and
- notifying the CO of any changes in the contractor or subcontractor information systems possesses, stores, or transmits Federal Contract Information (“FCI”) or CUI.
Want to know which regulations apply to you? Not sure if you’re ready for CMMC or compliance with any of the cybersecurity regulations?
Even though the cybersecurity regulatory landscape has been busy over the last year, luckily for you, Ward & Berry has kept pace!We’ve been tracking new cyber regulations and security requirements, NIST standards, CMMC regulations, and are helping our clients be proactive in preparation.
Additionally, Ward & Berry recently expanded its cybersecurity and technology bench of skilled professionals by adding Jennifer Morris as a new Partner to help Ward & Berry be even more prepared to help companies like yours as you work to understand and comply with the new CMMC and DFARS requirements. Jennifer has over 24 years of experience working with defense contractors in technology and cybersecurity. She has served as counsel to multiple DoD CIO offices, including as a senior acquisition/procurement counsel to the Navy and acquisition/procurement counsel to the CIA, and as a US Army Reserves JAG Officer. More importantly, Jennifer has spent numerous years working in-house for technology and cybersecurity companies helping them implement and streamline compliance programs, win new government contracts and achieve increased revenue/growth. Reach out to Jennifer Morris and the Ward & Berry team at large for any cybersecurity questions you may have!
Our shining associates have also been tracking new developments:
- Nicholas Perry discussed the NIST SP 800-171 rev. 3 update in a recent post. Read more here.
- Camille Chambers shared a DFARS Class deviation incorporating 800-171 rev. 2 requirements into a DFARS CUI alternate clause. Read more here.
And remember – if you have something to say about the proposed rule, SPEAK NOW – comments are due October 15, 2024! To make comments go to the federal rulemaking portal athttps://www.regulatons.gov – search for “DFARS Case 2019-D041” and select “Comment” or email osd.dfars@mail.mil.