August 20, 2024

Breaking News: 48 CFR CMMC Rule Published in Federal Register

Last week the proposed rule “Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements” was published in the Federal Register. The 60-day comment period has begun!

What is this? This is the 48 CFR rule that actually implements the CMMC Program. This is an update to the interim rule of September 29, 2020 which gave us the 7019, 7020 and 7021 clauses.

No big surprises here, but some interesting new details, especially about the “DoD unique identifier (UID)” that will be assigned to every CMMC self-assessment and/or CMMC certification recorded in SPRS. This DoD UID will reference a specific contractor information system which was assessed.

Under the new 7021 clause, when a contractor responds to a solicitation, they must identify the DoD UID for “each of the contractor information systems that will process, store, or transmit FCI or CUI and that will be used in performance of the contract.” The contracting officer must verify that each DoD UID listed has a current CMMC self-assessment or certification at the level required for that contract, as well as a current affirmation of continuous compliance with the security requirements for the level required by contract, prior to awarding the contract.

Further, the contractor must only process, store or transmit data under the contract on the DoD UIDs previously identified. The contractor may identify additional DoD UIDs during the course of the contract, and the contracting officer must verify their CMMC compliance as well, before they may be used in the performance of the contract.

(I’ve heard stories of contractors setting up a very small enclave to be assessed, and then using their normal networks to work on contract data. I believe this new DoD UID requirement is a direct response to this.)

The contractor must “Notify the Contracting Officer within 72 hours when there are any lapses in information security or changes in the status of CMMC certificate or CMMC self-assessment levels during performance of the contract;”

Finally, this clause must be flowed down to any subcontractors who will be receiving FCI or CUI, and it’s the contractor’s responsibility to verify the CMMC compliance of such subcontractors.

What does this mean? If you are already working towards full implementation of the security requirements of your current contracts, then the publication of this rule is simply verification that “It’s really happening.” Most everyone agrees that we will be seeing this 7021 clause for CMMC compliance in contracts early next year.

If you are not actively working on meeting current security requirements, this is your wake-up call that “It’s really happening!” Most organizations require 4-6 months to become fully compliant with CMMC Level One, and 12-18 months to become compliant with CMMC Level Two. The time between responding to a solicitation and being awarded the contract is not enough time to play catch-up.

Need help? I'm just an email or phone call away! Schedule a time to chat.

How old is your SPRS self-assessment score? Might want to review this.

Sincerely,

Glenda R. Snodgrass, CCP/CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107

If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!