Blog > CMMC

August 15, 2024 - DoD proposes final rule to incorporate CMMC requirements into its contracts

August 15, 2024 marked another milestone in the implementation of CMMC.

The U.S. Department of Defense (DoD) has just proposed a Final Rule to clarify its CMMC procurement rules and how it wants to integrate its cybersecurity requirements into contractual relationships with its suppliers.

This regulation is coming in ahead of schedule, reflecting DoD's strong desire to accelerate the pace and bring CMMC into force as quickly as possible.

You have the opportunity to comment on this Proposed Final Rule. Your comments may lead to changes in the CMMC process. The comment period closes on October 15, 2024.

Here's what you need to know about this new Proposed Final Rule:

CMMC effective date

  • Although there is an acceleration in the CMMC process, DoD has not communicated an official date for CMMC's implementation.

  • Previous estimates therefore remain valid. It is estimated that CMMC will likely be in effect in Q1 2025.

Clarification of CUI terminology

  • Several definitions of CUI were circulating.

  • DoD has made a clarification. From now, CUI = Information that the U.S. government creates or possesses, or that an entity creates or possesses for or on behalf of the government, and that a law, regulation or government policy requires or authorizes an agency to process using safeguarding or dissemination controls.

Introducing a new concept: DoD UID

  • You'll have a unique identifier called a DoD unique identifier (DoD UID) when you submit a SPRS score.

  • The DoD UID is an alphanumeric string assigned in the SPRS system to each contractor information system that processes, stores or transmits CFI or CUI.

  • You will need to provide the DoD UID as part of a contract you obtain with DoD.

  • By providing your DoD UID, you agree to use the contract DoD data only in the system concerned. If you use them in any other system, this is a lapses or change.

Obligation to report lapses or changes

  • If, during the performance of a DoD contract, it becomes apparent that your systems that collect, store and process CUI received (or created) under the contract are no longer CMMC-compliant or are changed, you are obliged to report this to DoD.

  • DoD does not clarify whether a contract could be withdrawn from you if your systems are no longer CMMC compliant, but this possibility should not be ruled out as non-compliance constitutes a significant risk for DoD and it may not accept it.

Note: contractors and subcontractors should be very careful and transparent when indicating the DoD UID of the system they are going to use in a project they are obtaining with DoD. In fact, if you use a different system to carry out a project you've obtained, and you are unlucky enough to have a cybersecurity incident, you are obliged to report the incident to DoD. If, during investigations, DoD discovers that you have used a different system and failed to report it, you could potentially be charged with fraud and face the rigors of U.S. law. We therefore strongly recommend that you be transparent.

Introduction of a new provision: DFARS 252.204-7YYY

  • DFARS 252.204-7YYY, Notice of Cybersecurity Maturity Model Certification Level Requirements: this provision will inform contractors of the CMMC certification level required for a given DoD tender, as well as the requirements prior to contract award.

 

When should I provide proof that I have the CMMC certification required in a tender?

  • If a DoD tender requires CMMC certification (e.g. Level 2), this certification will not be required when you submit your bid, but when you are awarded the contract.

  • If you are awarded the contract and do not have the required CMMC certification, you could lose it.

It's your responsibility to ensure that your subcontractors have the required CMMC level.

  • DoD states that you are responsible for ensuring that your subcontractors have the correct CMMC level before sharing with them any information (CUI or FCI) that it shares with you under a contract you have obtained.

  • Note that the same requirement applies if you yourself create CUI for DoD as part of a contract it gives you. You will not be able to share them with your subcontractors who do not have the required CMMC level.

DoD may incorporate CMMC requirements into contracts before CMMC is implemented.

  • By default, CMMC requirements will be incorporated into DoD tenders when the CMMC Regulations come into force, most likely in Q1 2025.

  • However, DoD reserves the right to integrate its CMMC certification requirements at its discretion. However, your certification will not be requested/required when you are awarded a contract. You may lose a contract if you are selected and do not have the required CMMC certification.


DoD will not provide a platform for you to view the SPRS score or CMMC certification of your subcontractors.

  • DoD does not plan to provide its contractors with a platform to check whether their subcontractors are CMMC certified or not.

  • DoD indicates that it is your responsibility to check with your subcontractor to ensure that they are certified to the required level (CMMC Level 1, 2, or 3).

How do you determine the level of certification you should require of your subcontractors?

  • Let's assume that you hold CUI and FCI, and that you are required to comply with CMMC Level 2:

  • If you share your CUI with a subcontractor, the latter must obtain Level 2 certification like you. It is your obligation to ensure that your sub-contractor has CMMC Level 2, before sharing your CUI with him/her.

  • If you only share your CFI with a sub-contractor, the latter need only be CMMC Level 1 certified. You must make sure of this.

Obligation to maintain the required level of CMMC certification on an ongoing basis

  • DoD requires all contractors to hold and maintain the required CMMC level for the duration of any contract they have been awarded.

  • If at any time you are no longer compliant, you are required to report this to DoD.

  • So make sure you obtain and maintain your CMMC certification at all times. 



Need Help?

Streamscan is a CMMC Registered Provider Organization (RPO) and is officially authorized to assist organizations in their CMMC process.

Our cybersecurity experts are available to assist you in your CMMC compliance process.

Contact one of our experts or call us at +1 877-208-9040 to discuss your CMMC compliance.