CMMC Update

Stinson - Government Contracting Matters

Stinson - Government Contracting Matters

Last week we reported on developments in the Department of Defense (DoD) efforts to implement enhanced Defense Industrial Base cybersecurity requirements. Following our report, Katie Arrington, DoD Chief Information Security Officer in the Office of the Undersecretary of Defense for Acquisition and Sustainment, confirmed our thoughts that the DoD’s roll out of Cybersecurity Maturity Model Certification (CMMC) requirements in Requests for Proposals (RFPs) was likely to be impacted by COVID-19.

Specifically, she advised that the pilot RFPs to include CMMC are now on track to be released in November, approximately 60 days later than the originally targeted September roll out. She indicated that CMMC will not be included in DoD contracts until the rule is “completed.” The rule, which we understand will be a revision of the current DFARS clause, 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, to include CMMC rules, is now identified for completion in October. However, this schedule may change depending on whether DoD follows through on its statements that it is going to have the rule go through a formal public hearing and rulemaking before being finalized. Given COVID-19 shelter-in-place rules and travel restrictions, hosting an in-person public meeting on the proposed rule could pose challenges to this schedule. Perhaps DoD will instead host a virtual meeting to receive input into the revised rule. If so, it will have to take care to protect against cybersecurity hacking.

It is clear that China and other countries are increasing attacks on cyber targets. DoD contractors and their supply chains should be taking steps now to enhance their cybersecurity in accordance with the current version of CMMC. It is not a question of whether DoD will proceed to implement CMMC, but when. Further, contractors that have a Plan of Action and Milestones (POAM) to implement NIST SP 800-171 requirements should continue that implementation to ensure that they are complying with their contract requirements.

Notwithstanding the above, Ms. Arrington did advise that DoD Requests for Information for incorporation of CMMC rules into contract requirements are still planned for release in June.

Stay tuned for further developments.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Stinson - Government Contracting Matters | Attorney Advertising

Written by:

Stinson - Government Contracting Matters

Stinson - Government Contracting Matters on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.