Proposed CMMC 2.0 rule to alter cybersecurity compliance for contractors

The Department of Defense (DoD) released the highly anticipated proposed rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS), to incorporate Cybersecurity Maturity Model Certification (CMMC) 2.0 contracting rules on Aug. 15, 2024, marking a significant step toward enhancing cybersecurity across the Defense Industrial Base (DIB).

With CMMC 2.0, the DoD aims to simplify and streamline cybersecurity compliance while reinforcing the safeguarding of sensitive information within its contractor network.

Learn more about the CMMC’s history, the ruling’s key provisions, and how the proposed changes will impact government contractors’ cybersecurity compliance requirements.

The CMMC’s beginnings and evolution

The original CMMC program was announced in 2019 in response to growing concerns over cybersecurity risks within the DIB. When draft requirements were published in 2020, CMMC 1.0 required DoD contractors and subcontractors to meet varying levels of cybersecurity maturity, depending on the nature of their work and the sensitivity of the data they handled. However, the complexities and costs associated with compliance under the initial version led to feedback from industry stakeholders, prompting the DoD to overhaul the program.

CMMC 2.0 was introduced in late 2021 as a more flexible and cost-effective approach to cybersecurity compliance. The primary goals of CMMC 2.0 were to reduce the administrative burden on contractors while still ensuring the security of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

The latest proposed rule, published on Aug. 15, 2024, builds on the December 2023 guidance, providing additional clarity on how the program will be administered and outlining the necessary contractual obligations.

Key provisions of the proposed rule

The proposed rule introduces several critical updates to the CMMC framework and formalizes many aspects of the CMMC 2.0 program. One of the most significant changes involves the contracting process. Under this proposed rule, contract solicitations will include the CMMC level required for the contract. Previously, officials had considered CMMC certification documents as part of contract proposals, and others had considered requiring certification after contract award. So not only will the contract specify the compliance level required, but contractors will also be required to submit CMMC certification documents at the time of award. Meaning, contractors will need to be compliant before the award is granted.