Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)

<RULE> DEPARTMENT OF DEFENSE <SUBAGY>Defense Acquisition Regulations System</SUBAGY> <CFR>48 CFR Parts 204, 212, 217, and 252</CFR> <DEPDOC>[Docket DARS-2020-0034]</DEPDOC> <RIN>RIN 0750-AK81</RIN> <SUBJECT>Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)</SUBJECT> <HD SOURCE="HED">AGENCY:</HD> Defense Acquisition Regulations System, Department of Defense (DoD). <HD SOURCE="HED">ACTION:</HD> Final rule. <SUM> <HD SOURCE="HED">SUMMARY:</HD> DoD is issuing a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate contractual requirements related to the final Cybersecurity Maturity Model Certification program rule, titled Cybersecurity Maturity Model Certification Program. This final DFARS rule also partially implements a section of the National Defense Authorization Act for Fiscal Year 2020 that directed the Secretary of Defense to develop a consistent, comprehensive framework to enhance cybersecurity for the U.S. defense industrial base. </SUM> <EFFDATE> <HD SOURCE="HED">DATES:</HD> This rule is effective November 10, 2025. </EFFDATE> <FURINF> <HD SOURCE="HED">FOR FURTHER INFORMATION CONTACT:</HD> Ms. Heather Kitchens, telephone 571-296-7152. </FURINF> <SUPLINF> <HD SOURCE="HED">SUPPLEMENTARY INFORMATION:</HD> <HD SOURCE="HD1">I. Background</HD> DoD published an interim rule in the <E T="04">Federal Register</E> at 85 FR 61505 on September 29, 2020, to assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain. DoD subsequently published a proposed rule in the <E T="04">Federal Register</E> at 89 FR 66327 on August 15, 2024, to implement the contractual requirements related to the Cybersecurity Maturity Model Certification (CMMC) program. Ninety-seven respondents submitted public comments in response to the proposed rule. Separately, a proposed rule to establish the CMMC program at 32 CFR part 170, Cybersecurity Maturity Model Certification Program, was published in the <E T="04">Federal Register</E> at 88 FR 89058 on December 26, 2023. A final rule was published in the <E T="04">Federal Register</E> at 89 FR 83092 on October 15, 2024, and became effective on December 16, 2024. <HD SOURCE="HD1">II. Discussion and Analysis</HD> DoD reviewed the public comments in the development of the final rule. A discussion of the comments and the changes made to the rule as a result of those comments is provided, as follows: <HD SOURCE="HD2">A. Summary of Significant Changes From the Proposed Rule</HD> The following significant changes from the proposed rule are made in the final rule: <HD SOURCE="HD3">1. Definitions</HD> The final rule adds and modifies certain definitions at DFARS 204.7501, Definitions. The definition of “current” was changed to clarify that it is related to having no changes in compliance with the requirements at 32 CFR part 170. The definition of “current” was also updated to clarify what “current” means when referring to “Conditional CMMC Status”, “Final CMMC Status”, and “affirmation of continuous compliance.” The term “DoD unique identifier” was updated to “CMMC unique identifier” to match the naming convention in the Supplier Performance Risk System (SPRS). The definition of CMMC unique identifier (UID) clarifies that it means ten alpha-numeric characters assigned to each contractor CMMC assessment and reflected in SPRS for each contractor information system. The final rule adds the definition of “Federal contract information” based on the definition from the clause at Federal Acquisition Regulation (FAR) 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, to provide clarity as the term is used widely throughout the rule. The final rule adds a definition of “plan of action and milestones” (POA&M) based on the definition codified at 32 CFR part 170, given this term has been added to the rule. The final rule also adds the term “CMMC status” and a definition for the term to clarify for contracting officers what they will view in SPRS when performing reviews of an offeror or contractor's CMMC status. <HD SOURCE="HD3">2. Policy</HD> DFARS 204.7502, Policy, includes language to add more clarity by stating that for CMMC levels 2 and 3 only, a conditional CMMC status is permitted for a period not to exceed 180 days from the conditional CMMC date, in accordance with 32 CFR 170.21, and an award can occur with a CMMC conditional status. The language at DFARS 204.7502 has also been updated to include a statement that a final CMMC is achieved upon successful closeout of a valid POA&M, which clarifies the policy related to POA&Ms. <HD SOURCE="HD3">3. Procedures</HD> The language at DFARS 204.7503 was updated to add paragraph headings to clarify the topic addressed in each paragraph. Language was updated to clarify that contracting officers are required to check SPRS and not award a contract, task order, or delivery order to an offeror that does not have a current CMMC status posted in SPRS at the CMMC level required by the solicitation, or higher, for each CMMC UID provided by the offeror applicable to each of the contractor information systems that will process, store, or transmit FCI or CUI and be used in performance of the contract posted in SPRS. The language at paragraph (d) has been updated to clarify that all offerors are required to provide the CMMC UIDs applicable to each of the contractor information systems that process, store, or transmit FCI or CUI and that will be used in performance of the contract. <HD SOURCE="HD3">4. Clause Prescription</HD> At DFARS 204.7504 the prescription for the contract clause has been updated to clarify the phased implementation approach based on public comments that indicated some uncertainty with the timeline. The prescription was updated to clarify that, unless the requirements at 32 CFR 170.5(d) are met, until three years after the effective date of the rule, the clause will be prescribed for use if program managers and requiring activities make a determination to apply a CMMC requirement to contracts, excluding awards solely for the acquisition of commercially available off-the-shelf (COTS) items. Beginning three years and one day after the effective date of the rule, the clause will be prescribed for use if program managers and requiring activities determine that the contractor will be required to use contractor information systems in the performance of the contract, task order, or delivery order to process, store, or transmit FCI or CUI, excluding awards solely for the acquisition of COTS items. <HD SOURCE="HD3">5. Solicitation Provision and Contract Clause</HD> The contract clause has been updated to include a fill-in for the contracting officer to identify the CMMC level required by the contract. The subcontract flowdown language in the clause has been updated to identify that subcontractors also must submit affirmations of continuous compliance and the results of self-assessments in SPRS. The clause has been updated to include the term “affirming official” in place of “senior company official” to match the language codified at 32 CFR part 170. The solicitation provision and contract clause have been updated to include the terminology the contracting officer will need to use when entering the CMMC level required by the solicitation and contract, which includes: CMMC Level 1 (Self); CMMC Level 2 (Self); CMMC Level 2 (C3PAO); or CMMC Level 3 (DIBCAC). The solicitation provision was updated to clarify that offerors will not be eligible for award of a contract, task order, or delivery order resulting from a solicitation containing the provision, if the offeror does not have the results of a current CMMC status entered in SPRS at the CMMC level required by paragraph (b)(1) of the provision and a current affirmation of continuous compliance with the security requirements identified at 32 CFR part 170 in SPRS for each of the contractor information systems that will process, store, or transmit FCI or CUI and be used in performance of an award resulting from the solicitation. The solicitation provision was also updated to clarify that all offerors will be required to provide, with the proposal, the CMMC UIDs issued by SPRS for each contractor information system that will process, store, or transmit FCI or CUI during performance of a contract, task order, or delivery order resulting from a solicitation containing the provision. Offerors will also be required to update the list when new CMMC UIDs are provided in SPRS. <HD SOURCE="HD2">B. Analysis of Public Comments</HD> Technical and programmatic comments on CMMC were addressed in the CMMC program rule that codified the CMMC program requirements at 32 CFR part 170. In addition, the comments related to the CMMC cost analysis were also addressed under the CMMC program rule that codified 32 CFR part 170. This DFARS rule addresses the nontechnical and nonprogrammatic comments. <HD SOURCE="HD3">1. Clarification of “Changes”</HD> <E T="03">Comment:</E> Several respondents asked for more clarity regarding what “changes” means in the proposed rule. A respondent recommended changing paragraph (c)(3) of the clause at 252.204-7021 to “Report to the Contracting Officer any changes to the information reported in SPRS for the list of CMMC UIDs applicable to each of the contractor information systems that process, store, or transmit FCI or CUI and that are used in performance of the contract” instead of “Report to the Contracting Officer any changes to the list of CMMC UIDs applicable to each of the contractor information systems that process, store, or transmit FCI or CUI and that are used in performance of the contract.” <E T="03">Response:</E> Based on the public comment, and to add clarity ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Preview showing 10k of 126k characters. Full document text is stored and available for version comparison. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━