On August 15, 2024, the Department of Defense (DoD) unveiled an updated proposed rule that will significantly impact the implementation of the Cybersecurity Maturity Model Certification (CMMC) 2.0 program. A 60-day review/comment period will also be factored in, to run through Monday, October 14th. This update to the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7021 marks a pivotal moment for defense contractors preparing for CMMC compliance.
Key Changes in the August 2024 Proposed Rule
1. CMMC Level Specification: Contracting Officers will now be required to explicitly state the required CMMC Level in each applicable DoD contract.
2. Continuous Compliance: Contractors must maintain the specified CMMC level throughout the entire contract duration for all information systems handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).
3. Rapid Incident Reporting: A new 72-hour notification requirement has been introduced. Contractors must alert the Contracting Officer of any "lapses in information security" or changes to their CMMC certification status, including self-assessments.
4. Annual Affirmation: Contractors are now mandated to provide an annual affirmation of "continuous compliance" with applicable cybersecurity requirements.
5. Subcontractor Oversight: Prime contractors are now responsible for ensuring their subcontractors maintain current CMMC certificates or self-assessments at the required flowdown level, before awarding contracts. CMMC requirements must be explicitly stated.
These updates significantly raise the bar for cybersecurity compliance in the defense industry. The rapid reporting requirement and the need for continuous compliance introduce new challenges that contractors must be prepared to meet. The responsibility for subcontractor compliance also adds a layer of complexity to prime contractors' duties.
CMMC 2.0 Overview and Implementation Timeline
With these August updates in mind, let's revisit the broader context of CMMC 2.0.
Three-Tiered Approach
CMMC 2.0 establishes three levels of cybersecurity requirements:
-
Level 1: Basic cyber hygiene practices, primarily for FCI handling.
-
Level 2: Broader controls for CUI protection, aligned with existing NIST SP 800-171 requirements.
-
Level 3: Additional controls beyond Level 2, based on NIST SP 800-172, for the most sensitive contracts.
Assessment and Certification
- Level 1: Self-assessment required.
- Level 2: Contracting agency's choice between self-assessment or triennial third-party certification.
- Level 3: Requires both third-party certification and government-led assessment.
Implementation Timeline
The DoD anticipates finalizing the CMMC 2.0 rule by early 2025. Implementation is expected to begin 30 to 60 days after the effective date, with a phased rollout over three years.
Preparing for Compliance
In light of these updates, defense contractors who aren’t already in the process of gaining compliance should:
-
Review current and anticipated contracts to determine their likely CMMC level requirements.
-
Develop or update cybersecurity strategies to meet the new rapid reporting and continuous compliance mandates.
-
Establish robust subcontractor management processes to ensure compliance throughout the supply chain.
-
Implement internal procedures for ongoing monitoring and annual affirmations of compliance.
Contractors failing to meet CMMC requirements risk not only contract ineligibility but also potential False Claims Act litigation, which can result in significant financial penalties and reputational damage.
Looking Ahead
While CMMC 2.0 is specific to defense contracts, it reflects a broader trend in federal contracting towards heightened cybersecurity standards. Contractors should view these changes not just as compliance requirements, but as an opportunity to strengthen their overall cybersecurity posture in an increasingly digital and vulnerable landscape. As we approach the implementation of CMMC 2.0, staying informed and proactive will be key to successfully navigating these new requirements and maintaining eligibility for DoD contracts.
With a single data security platform, Virtru addresses 27 out of the 110 CMMC Level 2 controls, significantly streamlining your compliance efforts across a broad spectrum of requirements.
Recommended Reading: Virtru Shared Responsibility Matrix for CMMC 2.0
By implementing Zero Trust data controls with Virtru, you can confidently share CUI both internally and externally, meeting crucial CMMC 2.0 requirements for access control, integrity, auditing, and comprehensive protection across media, systems, and communications. With Virtru, you have the ability to monitor and manage your sensitive information even as it moves beyond your immediate perimeter.
Open doors to new, innovative collaboration workflows between primes, subcontractors, and mission partners. Learn more about Virtru for CMMC 2.0 by booking a customized demo today.
