Pentagon Releases Key CMMC Contracting Rules
Government contracts and cybersecurity attorney Eric Crusius was interviewed by Federal News Network about the U.S. Department of Defense's proposed rule incorporating Cybersecurity Maturity Model Certification (CMMC) requirements into the federal contracting process. The new rule will amend the Defense Acquisition Regulations Supplement (DFARS) to include a provision about CMMC in DOD solicitations and contracts, in addition to outlining out a three-year phased rollout of the program's requirements. Under the CMMC, contractors must either self-assess they comply with cybersecurity standards or obtain a third-party certification, depending on the sensitivity of the data involved. For example, contractors handling controlled unclassified information (CUI) must obtain a Level 2 certification, whereas other contractors handling less sensitive information will only need to obtain a Level 1 certification. Mr. Crusius advised companies to take swift action to ensure they understand CMMC requirements, instead of waiting for a solicitation that spells them out. He also said he expects most contractors to seek a third-party certification because it will allow them to compete for a wider range of DOD contracts.
"I do think that while it's helpful to kind of see what's in the solicitation, I don't think contractors should wait that long, because if they do, it's probably going to be too late," he noted. "... I do think we'll see more contractors seeking a Level 2, third-party assessment than DOD anticipates."