The Department of Defense (DoD) issued an interim rule on Sept. 29, 2020 to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to implement the Cybersecurity Maturity Model Certification (CMMC) framework. This interim rule includes new DFARS clause 252.204-7021, which specifies CMMC requirements and enables the department to verify the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within the unclassified networks of Defense Industrial Base (DIB) companies. The interim rule became effective on Nov. 30, 2020, following the 60-day public comment period. The Chief Information Security Officer (CISO) team for Acquisition and Sustainment is currently reviewing and adjudicating the comments.
The interim rule includes a phased rollout of CMMC implementation in fiscal years 2021-2025. Starting in fiscal year 2021, the department will pilot the implementation of CMMC requirements for Level 3 and below on select new acquisitions. In support thereof, the CISO team is currently reviewing the following pilot nominations from the military services and defense agencies and anticipates awards in late 2021:
- U.S. Navy
- Integrated Common Processor
- F/A-18E/F Full Mod of the SBAR and Shut off Valve
- DDG-51 Lead Yard Services / Follow Yard Services
- U.S. Air Force
- Mobility Air Force Tactical Data Links
- Consolidated Broadband Global Area Network Follow-On
- Azure Cloud Solution
- Missile Defense Agency
- Technical Advisory and Assistance Contract
For approved pilots, all offerors will undergo the appropriate CMMC assessment, and awardee must achieve the required CMMC level at time of contract award, and flow down the appropriate CMMC requirement to subcontractors. This allows for additional time to meet the CMMC certification requirement.
The CISO team continues to work with the Army and other defense agencies to identify and approve additional candidate CMMC pilots, to ensure they fit within the criteria, and will provide updates in the weeks to come.