On Aug. 15, the U.S. Department of Defense issued a proposed rule, Assessing Contractor Implementation of Cybersecurity Requirements, which seeks to implement contractual requirements for DOD contracts related to the recently proposed Cybersecurity Maturity Model Certification 2.0 Program. Comments on the proposed rule are due Oct. 15.

Previously, on Dec. 26, 2023, the DOD released a proposed rule and guidance documents to establish CMMC 2.0. As proposed, CMMC 2.0 would require federal contractors and subcontractors competing for DOD contracts to demonstrate continued compliance with a range of cybersecurity measures to maintain eligibility for performing and winning new federal awards. ABC joined coalition comments on that rule, calling for more clarity and urging a flexible implementation of CMMC requirements. This rule has yet to be finalized.

The Aug. 15 rule largely defers to CMMC 2.0 as previously proposed, with a focus on providing guidance to contracting officers as well as standard contracting clauses and solicitation provisions to incorporate CMMC 2.0.

However, the proposed rule includes new provisions of note, including:

• A requirement in the contract clause for contractors to notify contracting officers within 72 hours of “any lapses in information security”
• A statement that a CMMC 2.0 certification is only current if there have been “no changes in CMMC compliance since the date of the assessment”
• A requirement for contractors on DOD contracts to use only information systems that have an appropriate CMMC 2.0 certification, regardless of whether the data on these systems is covered by CMMC 2.0

For more information on the proposed rule and cybersecurity requirements impacting federal contractors, see Wiley Rein’s legal analysis of the proposal and ABC’s Cybersecurity Resource Guide.