From the Department of Defense

Additional Cybersecurity Requirements for Contractors

by Trent Cotney, Partner, Adams & Reese, LLP

(Editor’s Note:  Trent Cotney, partner at Adams & Reese, LLP, is dedicated to representing the roofing and construction industries.  Cotney is General Counsel for the Western States Roofing Contractors Association and several other industry associations.  For more information, contact the author at (866) 303-5868 or go to www.adamsandreese.com.)

Recently, the Department of Defense (DOD) issued a second proposed rule regarding the Cybersecurity Maturity Model Certification (CMMC) program.  Titled Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements, it outlines unified cybersecurity and information security requirements for DOD contractors and subcontractors. 

Understanding the CMMC

         The Defense Industrial Base (DIB) is often the target of complex cyberattacks.  The DOD developed the CMMC to protect national security information that supports and enables United States warfighters.  The program is aligned with information security requirements for DIB partners.  It is designed to safeguard sensitive, unclassified information the DOD shares with its many contractors and subcontractors.  The program ensures that contractors and subcontractors meet the cybersecurity requirements necessary for acquisition systems that process such unclassified information.

What the Second Rule Calls For

         On December 26, 2023, the DOD issued the first proposed rule, which focused on requirements for prime contractors and subcontractors in the CMMC program.  This latest proposed rule, published in the Federal Register on August 15, supplements the first rule.  Of note, it includes Defense Federal Acquisition Regulation Supplement additional guidance for federal contracting officers and revisions for contract clause requirements.  There are three main features for contractors to know:

         Tiered Model: Companies entrusted with national security information must implement cybersecurity standards at tiered levels that progressively advance based on the information type and sensitivity.  There is also a process by which information is protected as it flows down to subcontractors.

         Assessment Requirement: The DOD is allowed to verify the implementation of distinct cybersecurity standards.

         Implementation through Contracts: As a condition of a contract award, DOD contractors who handle sensitive unclassified DOD information will be expected to attain a particular CMMC level.

         Some specific amendments include the following requirements for contractors: having and maintaining the requisite CMMC level for the life of the contract; completing and maintaining affirmation of continuous compliance with the security requirements; notifying the contracting officer about changes in the contractor information systems that process, store, or transmit Federal contract information or controlled unclassified information during contract performance and providing the corresponding DOD unique identifiers for those information systems to the contracting officer; and ensuring subcontractors have the appropriate CMMC level before awarding a subcontract or agreement.

The Proposed Timeframe

         The DOD plans to implement these requirements over four phases.  Level one and level two self-assessment requirements for all applicable DOD solicitations will start on the date of the final rule.  Level three will take effect approximately six months to a year after the final rule implementation.  Final CMMC program requirements will be included in all applicable solicitations and contracts starting in 2027.

What This Means for Contractors

         Contractors and design professionals working on DOD projects will have the added responsibility of implementing these cybersecurity safeguards.  Failure to do so could jeopardize their status with the DOD and future projects.  Although there will likely be added time and costs associated with these new requirements, the DOD contends that these measures are necessary to safeguard United States intellectual property and national security.