Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)

DEPARTMENT OF DEFENSE <SUBAGY>Defense Acquisition Regulations System</SUBAGY> <CFR>48 CFR Parts 204, 212, 217, and 252</CFR> <DEPDOC>[Docket DARS-2020-0034]</DEPDOC> <RIN>RIN 0750-AK81</RIN> <SUBJECT>Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)</SUBJECT> <HD SOURCE="HED">AGENCY:</HD> Defense Acquisition Regulations System, Department of Defense (DoD). <HD SOURCE="HED">ACTION:</HD> Proposed rule. <SUM> <HD SOURCE="HED">SUMMARY:</HD> DoD is proposing to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate contractual requirements related to the proposed Cybersecurity Maturity Model Certification 2.0 program rule, Cybersecurity Maturity Model Certification Program. This proposed DFARS rule also partially implements a section of the National Defense Authorization Act for Fiscal Year 2020 that directed the Secretary of Defense to develop a consistent, comprehensive framework to enhance cybersecurity for the U.S. defense industrial base. </SUM> <EFFDATE> <HD SOURCE="HED">DATES:</HD> Comments on the proposed rule should be submitted in writing to the address shown below on or before October 15, 2024, to be considered in the formation of a final rule. </EFFDATE> <HD SOURCE="HED">ADDRESSES:</HD> Submit comments identified by DFARS Case 2019-D041, using either of the following methods: ○ <E T="03">Federal eRulemaking Portal:</E> <E T="03">https://www.regulations.gov</E> . Search for DFARS Case 2019-D041. Select “Comment” and follow the instructions to submit a comment. Please include “DFARS Case 2019-D041” on any attached documents. ○ <E T="03">Email:</E> <E T="03">osd.dfars@mail.mil</E> . Include DFARS Case 2019-D041 in the subject line of the message. Comments received generally will be posted without change to <E T="03">https://www.regulations.gov</E> , including any personal information provided. To confirm receipt of your comment(s), please check <E T="03">https://www.regulations.gov</E> , approximately two to three days after submission to verify posting. <FURINF> <HD SOURCE="HED">FOR FURTHER INFORMATION CONTACT:</HD> Ms. Heather Kitchens, telephone 571-296-7152. </FURINF> <SUPLINF> <HD SOURCE="HED">SUPPLEMENTARY INFORMATION:</HD> <HD SOURCE="HD1">I. Background</HD> DoD is proposing to revise the DFARS to implement the contractual requirements related to the Cybersecurity Maturity Model Certification (CMMC) 2.0 program, published in the <E T="04">Federal Register</E> as a proposed rule affecting 32 CFR part 170 on December 26, 2023, at 88 FR 89058. CMMC 2.0 provides a framework for assessing contractor implementation of cybersecurity requirements and enhancing the protection of unclassified information within the DoD supply chain. This proposed DFARS rule also partially implements section 1648 of the National Defense Authorization Act for Fiscal Year 2020 (Pub. L. 116-92), which directed the Secretary of Defense to develop a consistent, comprehensive framework to enhance cybersecurity for the U.S. defense industrial base no later than February 1, 2020. On September 29, 2020, an interim rule under DFARS Case 2019-D041, Assessing Contractor Implementation of Cybersecurity Requirements, was published in the <E T="04">Federal Register</E> at 85 FR 61505, effective November 30, 2020. On November 17, 2021, the notice, “Cybersecurity Maturity Model Certification (CMMC) 2.0 Updates and Way Forward” was published in the <E T="04">Federal Register</E> at 86 FR 64100 to suspend the CMMC 1.0 pilot efforts. The purpose of suspending the CMMC 1.0 pilot efforts was to allow for development of CMMC 2.0. On December 26, 2023, DoD published in the <E T="04">Federal Register</E> at 88 FR 89058 a proposed CMMC 2.0 program rule, Cybersecurity Maturity Model Certification Program, to propose the establishment of the CMMC 2.0 program requirements at 32 CFR part 170. <HD SOURCE="HD1">II. Discussion and Analysis</HD> The proposed changes to the existing DFARS language are primarily to: (1) add references to the CMMC 2.0 program requirements proposed at 32 CFR part 170; (2) add definitions for controlled unclassified information (CUI) and DoD unique identifier (DoD UID) to the subpart; (3) establish a solicitation provision and prescription; and (4) revise the existing clause language and prescription. DoD is implementing a phased rollout of CMMC. Over a three-year period CMMC will be phased in based on the CMMC 2.0 program requirements identified at 32 CFR part 170. The clause at DFARS 252.204-7021, Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirements, is prescribed for use in solicitations and contracts that require the contractor to have a specific CMMC level, including solicitations and contracts using Federal Acquisition Regulation (FAR) part 12 procedures for the acquisition of commercial products and commercial services, excluding acquisitions exclusively for commercially available off-the-shelf (COTS) items. In order to implement the phased rollout of CMMC, inclusion of a CMMC requirement in a solicitation during this time period will be determined by the program office or requiring activity after consulting the CMMC 2.0 requirements at 32 CFR part 170. During the phase-in period, when there is a requirement in the contract for CMMC, CMMC certification requirements must be flowed down to subcontractors at all tiers, when the subcontractor will process, store, or transmit Federal contract information (FCI) or CUI, based on the sensitivity of the unclassified information flowed down to each of the subcontractors in accordance with the proposed CMMC 2.0 requirements to be established at 32 CFR part 170 (see the proposed rule published December 26, 2023, at 88 FR 89058). After the phase-in period, CMMC will apply to all DoD solicitations and contracts, including those for the acquisition of commercial products or commercial services (except those exclusively for COTS items), valued at greater than the micro-purchase threshold that involve processing, storing, or transmitting FCI or CUI. When a CMMC level is included in the solicitation or contract, contracting officers will not make award, exercise an option, or extend the period of performance on a contract, if the offeror or contractor does not have the results of a current certification or self-assessment for the required CMMC level, and an affirmation of continuous compliance with the security requirements to be identified at 32 CFR part 170, in the Supplier Performance Risk System (SPRS) for all information systems that process, store, or transmit FCI or CUI during contract performance. Furthermore, CMMC certification requirements must be flowed down to subcontractors at all tiers when the subcontractor will process, store, or transmit FCI or CUI, based on the sensitivity of the unclassified information flowed down to each of the subcontractors in accordance with the proposed CMMC 2.0 requirements to be established at 32 CFR part 170 (see 88 FR 89058). <HD SOURCE="HD2">A. Proposed Rule Changes</HD> This proposed rule includes amendments to DFARS 204.7502, Policy. These amendments require at the time of award the results of a current CMMC certificate or CMMC self-assessment, at the level required, for all information systems that process, store, or transmit FCI or CUI during contract performance, when a CMMC level is included in the solicitation. The proposed rule also adds a requirement at DFARS 204.7503, Procedures, for contracting officers to work with the program office or requiring activity to verify in SPRS, prior to awarding a contract, exercising an option, or when new DoD UIDs are provided, that: (1) the results of a current CMMC certificate or current CMMC self-assessment at the level required by the solicitation, or higher, are posted in SPRS for each DoD UID applicable to each of the contractor information systems that will process, store, or transmit FCI or CUI and that will be used in performance of the contract; and (2) the apparently successful offeror has a current affirmation of continuous compliance with the security requirements identified at 32 CFR part 170 in SPRS for each DoD UID applicable to each of the contractor information systems that process, store, or transmit FCI or CUI and that are used in performance of the contract. The proposed rule also adds a definition at DFARS 204.7501 for use only in the subpart for the term CUI based on the 32 CFR 2002 definition of CUI. Definitions for current (as it relates to CMMC) and DoD UID are also added. This proposed rule includes a new DFARS provision, 252.204-7YYY, Notice of Cybersecurity Maturity Model Certification Level Requirements, to provide notice to offerors of the CMMC level required by the solicitation and of the CMMC certificate or self-assessment results that are required to have been posted in SPRS by the apparently successful offeror prior to award, unless electronically posted. Offerors post CMMC Level 1 and Level 2 self-assessments into SPRS. Level 2 certificate assessment results will be electronically transmitted to SPRS by the third-party assessment organization (see the proposed rule published at 88 FR 89058, in the proposed text at 32 CFR 170.17 for details on CMMC Level 2 certification assessment requirements). Level 3 certificate assessment results will be electronically transmitted to SPRS by the DoD assessor (see the proposed rule published at 88 FR 89058, in the proposed text at 32 CFR 170.18 for details on CMMC Level 3 certification requirements). Apparently successful offerors are also required to provide, at the contracting officer's request, the DoD UIDs issued by SPRS for the contractor information systems that will process, store, or transmit FCI or CUI during contract performance. SPRS will i ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Preview showing 10k of 84k characters. Full document text is stored and available for version comparison. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━