DoD’s Long-Awaited CMMC Proposed Rule: Short and Simple, But Missing Nuances and Treatment of CUI Identification Needed to Meet Program Objectives
After years of delay, and almost nine months after the corresponding draft CMMC rule in Title 32, the DoD has published the Title 48 DFARS CMMC proposed rule in the Federal Register.? Comments are due Tuesday, October 15, 2024.?The primary changes to the DFARS in the rule are to: “(1) add references to the CMMC 2.0 program requirements proposed at 32 CFR part 170; (2) add definitions for controlled unclassified information (CUI) and DoD unique identifier (DoD UID) to the subpart; (3) establish a solicitation provision and prescription; and (4) revise the existing clause language and prescription.” The proposed rule is fairly short and simple and contains few surprises, which may allow DoD to streamline the rulemaking and expedite the rollout of CMMC. The omissions from the rule are arguably more notable than what it contains. There appear to be some rough edges that should be addressed as well, and areas where the rule is perhaps overly simple in its approach and is missing some of the nuance that is required.
For example, the revised CMMC clause requires that “The Contractor shall . . . only process, store, or transmit data on information systems that have a CMMC certificate or CMMC self-assessment at the CMMC level required by the contract, or higher.” DFARS 252.204–7021(b)(3). By its terms, this paragraph could be read to require that all of a contractor’s information systems that process, store or transmit contract data must meet the CMMC level indicated in the contract. But just because a contract is designated CMMC Level 2 (for example) and will involve the contractor receiving or generating CUI does not mean that all data under the contract will constitute CUI, or that all information systems used in contract performance should necessarily need to comply with CMMC Level 2. Contractors may choose to confine CUI to certain of their information systems, and use other systems only to process, store or transmit contract-related data that has no similar safeguarding requirements, so that those systems are not required to meet CMMC Level 2. The DFARS clause should provide contractors that potentially less burdensome option.
Notably, DoD opted not to address changes to DFARS 252.204-7012 in this rule. The agency evidently plans to revise the -7012 clause in a separate, parallel rulemaking under open DFARS case 2023-D024. That rule will reportedly “incorporate references to NIST SP 800-172 requirements, harmonize certain terminology, address international agreements, and streamline the vendor identification process.” DoD will likely also revise the -7012 clause consistent with the class deviation earlier this year (2024-O0013) to require compliance with NIST SP 800-171 Revision 2, instead of “the version of NIST SP 800-171 in effect at the time the solicitation is issued.” The agency should take the opportunity to amend the clause prescription as well, so that the clause is only included in solicitations and contracts that require CMMC Level 2 or 3 (i.e., those that will involve CUI), instead of including it in all solicitations and contracts except those solely for the acquisition of COTS items (per the current regulation). In any case, by handling changes to the -7012 clause on a separate track, DoD is leaving open further changes that could affect CMMC implementation pending the completion of that rulemaking, the timing of which is uncertain.
领英推荐
The proposed DFARS rule, like the earlier Title 32 CMMC proposed rule, also does not sufficiently address government identification of CUI. DoD’s Cybersecurity FAQs and DOD Instruction 5200.48 require the government to identify in the contract what CUI will be provided or generated. The DFARS does not specifically address the requirement, however, and it is not being implemented consistently. This has proven to be a major challenge for the DIB, particularly small businesses. Furthermore, in an audit of DoD’s CUI program in June 2023 DoD OIG found that “DoD Components did not effectively oversee the implementation of that guidance to ensure that CUI documents and e-mails contained the required markings and that DoD and contractor personnel completed the appropriate CUI training.” Defense contractors should be able to rely on the description in the contract as to what CUI will or may be involved, and ideally should also generally be able to rely on DoD properly marking CUI.
The CMMC certification and attestation requirements will raise the stakes for contractor compliance with DoD’s cyber standards–and with good reason, given the national security implications. The regulations should provide for DoD to do its part as well, and that means taking primary responsibility for identifying CUI, and not putting the onus on defense contractors–most of which are small businesses–to ask about it.
I'm an expert in leveraging multimodal AI to produce high-quality results with minimal effort, enabling businesses to save time and scale efficiently from content creation to workflow automation.
7 个月Dan Ramish I follow your writings and Jacob Horne's writings/videos about CMMC. I appreciate what I have learned. I'd like to contribute to the community. My company tracks and analyzes all enacted and proposed rules when published in Federal Register. We use AI to summarize and annotate R/PR documents which are visualized in a BI report published daily. That BI report presents a rolling 5-day snapshot of activity in the FR. I have placed the analysis of the Dec '23 CMMC PR and the CMMC PR published this week into this interactive BI report https://bit.ly/3yGUAo1. The report also contains access to the source PRs to cross reference if/when needed. There is no obligation or restrictions associated with the report. You are free to share it. We generally restrict copying of summarizations, however, I have enabled copying on 2nd report page. The 3rd page of the report is optimized for viewing on phones.
CMMC Town Crier | Ask me about NIST security controls | Smashing compliance frameworks for fun and profit | Cyber policy wonk |
7 个月Relying on the contract to identify the categories of CUI involved is the domain of yet another rule: the FAR CUI rule. That proposed rule is with OIRA now, but it's absence has left everyone high and dry for years.