CMMC: DoD publishes contractor obligations - 48 CFR CMMC

The U.S. Department of Defense (DoD) has just proposed a Final Rule to clarify its CMMC procurement rules.

Here is a summary of the obligations of DoD contractors and subcontractors (48 CFR CMMC ).

Requirement for CMMC certification prior to contract execution

• DoD states that before it awards you a contract, you will be required to prove that you have the required CMMC certification.
• No contract will be awarded to a contractor or subcontractor which does not have the required CMMC certification.

Obligation to maintain your CMMC certification level throughout the duration of the contract

• DoD requires all contractors to maintain the required CMMC level throughout the duration of any contract they have been awarded.

Obligation to report lapses or changes

• If, during the performance of a DoD contract, your systems that collect, store and process CUI received (or created) under the contract are no longer CMMC-compliant or are changed, you are obliged to report this to DoD.

• Failure to report may be considered fraud.

Obligation to ensure that your subcontractors also have the correct CMMC certification

• DoD states that you are responsible for ensuring that your subcontractors have the required CMMC level, before sharing with them any information (CUI or FCI) that DoD shares with you under a contract you have obtained.
• Note that the same requirement applies if you yourself create CUI for DoD as part of a contract it gives you. You will not be able to share them with your subcontractors who do not have the required CMMC level.