The DoD has finally crossed the CMMC finish line, but for contractors, the race is just beginning. With the Final Rule effective Nov. 10, award eligibility will hinge on a “current” CMMC status in SPRS, backed by annual affirmations and strict compliance. The next two months are critical for getting race-ready. In this Featured Comment
In Part I of this series we introduced readers to what Controlled Unclassified Information (CUI) is understood to consist of under the CUI Program at 32 CFR pt. 2002, differentiating and safeguarding CUI, CUI Program Authority and Control, and CUI policy as promulgated under the U.S. Department of Defense CUI Program. (See 66 GC ¶
The U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) Program will become operational at some point in fiscal year 2025. In October, the DOD issued a Final Rule to address evolving cybersecurity requirements and cyber threats while defining the security controls that DOD intends defense contractors and subcontractors to implement. The program will require
Over the course of the past few years, gallons of ink have been spilled addressing the seemingly ever-pending US Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) Program. After keeping us waiting for years, it finally arrived when, on October 15, 2024, DoD published its Final Rule to establish the CMMC Program. See 89 Fed. Reg. 83092 (Oct. 15, 2024). Effective December 16, 2024, the Rule will require certain defense contractors to have implemented security measures to achieve a particular CMMC level necessary to safeguard Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as a condition of contract award. Codified at 34 C.F.R. Part 170, the CMMC Program will be augmented by a separate proposed acquisition rule to add a new 48 C.F.R. Part 204, amending the Defense Federal Acquisition Regulation Supplement (DFARS) to address procurement considerations related to the CMMC Program, including allowing DoD to require a specific CMMC level in a solicitation or contract. See 89 Fed. Reg. 66327 (Aug. 15, 2024) or our analyses here and here. The date when that DFARS clause will become final is still unclear, but most suspect it will be soon.Continue Reading A Standard on Many Levels: A Look at CMMC 2.0 in Final
On the eve of the inauguration of President Biden, a lingering Trump-era policy finally made its way into the Federal Acquisition Regulation (FAR). On January 19, 2021, the FAR Council issued a final rule implementing changes first revealed in Executive Order 13881 (the E.O.), Maximizing Use of American-Made Goods, Products, and Materials (84 FR 34257, July 18, 2019). As we discussed in an earlier post on this topic, the E.O. mandated significant modifications to FAR clauses implementing the Buy American statute by (1) substantially increasing domestic content requirements and (2) increasing the price preferences for domestic products. On September 14, 2020, the FAR Council issued a proposed rule designed to implement the requirements of the E.O. (85 FR 56558, Sept. 14, 2020). Our post on that development noted that, while the proposed rule incorporated the overarching objectives of the E.O., it also significantly expanded on the E.O. by reintroducing the domestic content test for commercially available off-the-shelf (COTS) items made wholly or predominantly of iron or steel, or a combination of both (with the exception of fasteners).
Continue Reading FAR Council Issues Final Rule to Implement Trump Executive Order on Significant Buy American Changes