48 CFR Parts 204, 212, 217, and 252 Proposed Rule

From Cooey Wiki

DRAFT. Review! I think this should also include an assumed rollout schedule, phase 1 likely beginning around Jun 2025. What contracts are affected, what types of assessments are available vs. required, etc.

The 48 CFR Parts 204, 212, 217 and 252 are part of a proposed rule that will be added to the Defense Federal Acquisition Regulation Supplement (DFARS). The DFARS contains the regulations for how the DoD purchases goods and services. This proposed rule outlines how CMMC requirements will be integrated into DoD contracts. This is often referred to as the 48 CFR CMMC rule because the DFARS is part of Title 48 of the Code of Federal Regulations (CFR).

Key aspects of this proposed rule:

  • Integrating CMMC into Contracts: This rule will enable the DoD to specify a required CMMC level in its contracts and solicitations (requests for bids). Consequently, if a contract mandates a particular CMMC level, a company will likely need to achieve that level to be eligible for the contract award.
  • Pre-Award Requirements: If a contract includes a CMMC requirement, the company bidding on the contract will generally need to have their CMMC status (either a formal certification or a self-assessment) confirmed in the Supplier Performance Risk System (SPRS) before the contract can be awarded. They will also be required to affirm their continuous compliance with these security requirements in SPRS. This is generally required at the time of award.
  • Different CMMC Levels: The specific CMMC level required for a contract will be clearly stated in the contract and related solicitation documents.
  • Handling Sensitive Information: The CMMC requirements apply to information systems that will process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) during the performance of the contract. CUI is government information that requires protection.
  • Responsibilities Post-Contract Award: Companies that are awarded contracts with CMMC requirements will need to maintain their required CMMC level for the entire duration of the contract. They are also obligated to notify the DoD of any lapses in their information security or changes in their CMMC status. Furthermore, they must complete an affirmation of continuous compliance in SPRS on an annual basis or when their CMMC compliance status changes. They should only transmit data on information systems that have the required CMMC level.
  • Subcontractor Compliance: If a prime contractor (the main company with the DoD contract) engages subcontractors who will handle FCI or CUI, those subcontractors will also be required to meet appropriate CMMC levels. The prime contractor is responsible for ensuring that their subcontractors comply with the necessary CMMC requirements before awarding a subcontract. The required CMMC level for subcontractors will depend on the sensitivity of the information being shared with them.
  • Exemption for Basic Commercial Items: Generally, contracts that are solely for the acquisition of Commercially Available Off-the-Shelf (COTS) items are excluded from CMMC requirements. The term "exclusively COTS" refers to awards solely for items that fall within the definition provided in the Federal Acquisition Regulation (FAR) at 2.101.
  • Implementation Timeline: CMMC requirements will be implemented through a phased rollout over a three-year period. Initially, CMMC requirements will be included in specific contracts as directed by the CMMC Program Office. After the three-year phase-in, CMMC will apply more broadly to all relevant DoD solicitations and contracts valued above the micro-purchase threshold.
  • Verification System: The Supplier Performance Risk System (SPRS) will serve as the system used by the DoD to verify a contractor's CMMC status. Contractors will be required to post the results of their CMMC self-assessments and, for Level 2 and 3, their certificates into this system. Apparently successful offerors will also need to provide DoD Unique Identifiers (UIDs) issued by SPRS for their information systems that will handle FCI or CUI. Contracting officers will use SPRS to verify the contractor's CMMC level and affirmation of continuous compliance prior to award, option exercise, or extension of performance.
  • Relationship with Other Cybersecurity Requirements: CMMC assessments are not intended to duplicate efforts from other comparable DoD assessments, except in rare circumstances. The rule clarifies that DFARS clause 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) and 252.204-7021 (CMMC Compliance) have distinct purposes and are not duplicative. Clause 252.204-7012 imposes cybersecurity requirements, while clause 252.204-7021 requires an assessment of how well a contractor is meeting those requirements.
Retrieved from "https://cooey.wiki/index.php?title=48_CFR_Parts_204,_212,_217,_and_252_Proposed_Rule&oldid=139"