Enhancing Federal Contract Cybersecurity: The CMMC Initiative

Exciting developments in federal contracting cybersecurity!

The proposed 32 CFR CMMC Program rule outlines additional requirements for defense contractors and subcontractors, aiming to enhance the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Here's a breakdown of the key points:

1?? CMMC Compliance Verification: Under CMMC, compliance with NIST SP 800–171 will be verified by independent third-party assessors certified by the DoD, ensuring a rigorous evaluation process.

2?? Contractual Requirements: Most solicitations for defense contracts involving FCI or CUI on non-Federal systems will include a specified CMMC level and assessment type requirement. These contractual processes will be addressed in DoD's DFARS Case 2019–D041.

3?? Contract Categories and Requirements:

- CMMC Level 1: Annual self-assessment of the 15 security requirements outlined in FAR clause 52.204–21.

- CMMC Level 2: Triennial self-assessment or certification assessment of the 110 security requirements aligned with NIST SP 800–171 Rev 2.

- CMMC Level 3: Certification assessment of the 24 selected security requirements from NIST SP 800–172.

4?? Affirmation Requirements: Senior officials from prime contractors and subcontractors must affirm continuing compliance with specified security requirements annually.

This proposed rule establishes the CMMC Program and sets forth detailed requirements for compliance, assessments, and affirmations across different CMMC levels. Stay tuned for further updates as the rule progresses!

#Cybersecurity #CMMC #FederalContracts #DoD #Compliance