Article

Understanding 48 CFR and Its Impact on CMMC Compliance

September 16, 2024

On August 15, 2024, the long-anticipated 48 CFR CMMC rule was published, marking a significant milestone in cybersecurity compliance for defense contractors. This rule is set to become a DFARS (Defense Federal Acquisition Regulation Supplement) clause, embedding the Cybersecurity Maturity Model Certification (CMMC) requirements into Department of Defense (DoD) contracts. With a 60-day comment period followed by a review, the rule will soon take effect, and all contractors and subcontractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) must adhere to its guidelines.

Key Provisions of 48 CFR and CMMC

CMMC Requirements for All Tiers of Subcontractors:

One of the most critical aspects of 48 CFR is the mandatory flow-down of CMMC requirements to all subcontractors at every tier. If a subcontractor will process, store, or transmit FCI or CUI, they must comply with the specified CMMC level. This ensures a consistent cybersecurity standard across the entire supply chain.

CMMC Applicability Across DoD Contracts:

After a three-year phase-in period, CMMC compliance will be required for all DoD solicitations and contracts, including those involving commercial products or services. However, contracts solely for Commercial Off-The-Shelf (COTS) items and those below the micro-purchase threshold of $20,000 are excluded from this requirement.

Submission of DoD Unique Identifiers (UIDs):

Contractors and subcontractors must submit DoD UIDs to the contracting officer. These UIDs are generated from the Supplier Performance Risk System (SPRS) after a score is entered. Every system that supports a contract must have its UID submitted, ensuring traceability and accountability for cybersecurity compliance.

Continuous Compliance and Affirmation:

Maintaining the requisite CMMC level throughout the contract's life is non-negotiable. Organizations must submit their DoD UIDs that will store, process, or transmit CUI during contract performance and provide continuous affirmation of compliance. This affirmation must be made by a senior company official, who confirms that the organization’s self-assessment or certification remains current and that their systems continue to comply with security requirements.

Notification of System Changes:

Organizations are required to notify the contracting officer of any changes to systems that process CUI during the contract's performance. This includes submitting new DoD UIDs for any updated systems, allowing the government to review and ensure continued compliance.

CMMC Clause Inclusion in Contracts

The 48 CFR rule mandates that the appropriate CMMC level be included as a contract clause. This ensures that all subcontractors meet the required CMMC level before any subcontract awards are made. The clause is also applicable to contracts utilizing FAR Part 12 procedures for acquiring commercial products and services, except for those solely involving COTS items.

Timing of CMMC Certification

CMMC certification was considered to take place at one of the following stages:

  • Proposal Submission: Organizations must demonstrate compliance during the proposal phase.
  • Contract Award: Certification is verified before the contract is awarded.
  • Post-Award: Compliance is maintained and reaffirmed throughout the contract's performance.

Ultimately it was decided that certification would be required at contract award as proposal submission may not provide enough time to prepare and post-award would be too late if CUI needed to be transmitted and a certification had not been obtained.

Impact on Small Businesses and Foreign Suppliers

To mitigate the impact on small businesses, the DoD has implemented a phased roll-out over three years, affecting approximately 1,104 businesses. While foreign suppliers are not exempt from CMMC compliance, the rule acknowledges the complexities involved and provides specific guidelines for international entities.

Final Thoughts

The implementation of 48 CFR and its integration into CMMC compliance marks a new era of cybersecurity accountability within the defense industrial base. By ensuring that all contractors and subcontractors maintain robust cybersecurity measures, the DoD aims to protect sensitive information from cyber threats. As the rule undergoes its final review and comment period, organizations must prepare for its eventual adoption and ensure their systems meet the stringent requirements laid out by CMMC.

Recent Resources