ARTICLE
10 October 2024

CMMC Rulemaking Approaches Comment Deadline

GT
Greenberg Traurig, LLP

Contributor

Greenberg Traurig, LLP has more than 2,850 attorneys across 49 locations in the United States, Europe, the Middle East, Latin America, and Asia. The firm’s broad geographic and practice range enables the delivery of innovative and strategic legal services across borders and industries. Recognized as a 2024 BTI “Leading Edge Law Firm” for anticipating and meeting client needs, Greenberg Traurig is consistently ranked among the top firms on the Am Law Global 100 and NLJ 500. Greenberg Traurig is also known for its philanthropic giving, culture, innovation, and pro bono work. Web: www.gtlaw.com.
On Aug. 15, 2024, the Department of Defense (DoD) published a proposed rule that would implement contract clauses under 48 CFR related to the Cybersecurity Maturity Model Certification (CMMC) Program (Proposed Rule).
United States Government, Public Sector
Go-To Guide:
  • Comment period on CMMC contract clauses closes on October 15, 2024.
  • Contractors must maintain compliance with the applicable controls throughout contract performance and notify contracting officers of system changes.
  • DoD may issue final rules relating to both the CMMC program and contract clauses later this year or in early 2025.


On Aug. 15, 2024, the Department of Defense (DoD) published a proposed rule that would implement contract clauses under 48 CFR related to the Cybersecurity Maturity Model Certification (CMMC) Program (Proposed Rule).1 DoD previously published a related proposed rulethat would implement the CMMC 2.0 Program under 32 CFR 170 and provided the relevant security requirements.2

This latest Proposed Rule would introduce changes to the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate contractual clauses to implement the CMMC Program. The Proposed Rule would modify the original CMMC contract clause, which DoD drafted in a Sept. 29, 2020, interim rule implementing the original CMMC Program (DFARS 252.204-7021).

Key elements of the proposed contract clauses include:

  • Requirement to enter the CMMC certificate or self-assessment results into the Supplier Performance Risk System (SPRS) at the specified CMMC level at the time of the contract award.
  • Affirmation of continuous compliance for each of the contractor information systems that process, store, or transmit federal contract information (FCI) or controlled unclassified information (CUI).
  • Notification to the contracting officer of any changes in the contractor's information systems that process, store, or transmit FCI or CUI during contract performance.
  • Include CMMC requirements in applicable subcontracts.

Interested contractors should submit their comments on the Proposed Rule by Oct. 15, 2024. To date, there have been 45 comments on the rule publicly posted to the docket.

DoD will adjudicate each of the comments before issuing the final rule. Given that DoD previously received public comments to the interim rule and responded to those in the Proposed Rule preamble, the adjudication process may be quick. DoD also received comments on the 32 CFR 170 program requirements earlier this year, and a final version of that rule may be released before the end of the year. DoD may also choose to release final versions of the rules at the same time, which would advise contractors of the effective start date(s). DoD may finalize these rules in early 2025, kicking off the CMMC program rollout.

*Special thanks to Northern Virginia Law ClerkOlivia Bellini ˘ for her contributions to this GT Alert.
˘Not admitted to the practice of law.

Footnotes

1. See GT Alert, Aug. 15, 2024.

2. See GT Alert, Jan. 17, 2024.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More