Pentagon Lock Security Defense Concept Illustration (Getty images)

WASHINGTON — The Pentagon submitted a new proposed rule detailing how it plans to enforce its cybersecurity standards related to Controlled Unclassified Information (CUI) under the long-awaited Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0). 

The proposed rule published to the Federal Register on Thursday specifically amends the Defense Federal Acquisition Regulation Supplement — requirements and regulations that are meant to guarantee the safekeeping of CUI — so that the CMMC 2.0 requirements are implemented in all vendor contracts with the DoD that handle CUI.

Following up on a December rule that governed CUI in contracting, the new rule also proposes new requirements for contracting officers, ensuring that parties bidding are CMMC-compliant and they must notify contractors when CMMC requirements are part of a contract. 

The CMMC overhaul has been in the works for several months. The initiative’s goal is to create an upgraded version of the cyber certification program designed to strengthen the defense industrial base’s cybersecurity capabilities while responding to industry’s complaints that obligations under CMMC 1.0, launched in 2019, would be too costly and restrictive. 

CMMC 2.0 works at three levels, depending on the quantity of CUI involved. Companies at Level 1, who deal with the least CUI, can do self-assessments to become CMMC 2.0 complaint, while some companies at Level 2 can perform self-assessments and some will need to be certified by a third-party assessment organization (C3PAOs). All companies at Level 3 would have to be certified by C3PAOs. 

The new amendments “require at the time of award the results of a current CMMC certificate or CMMC self-assessment, at the level required, for all information systems that process, store, or transmit FCI [Federal Contract Information] or CUI during contract performance, when a CMMC level is included in the solicitation,” the proposed rule states. 

The new rule also mandates that subcontractors be held to the same standard as higher-level contractors if they’re dealing with sensitive information.

“During the phase-in period, when there is a requirement in the contract for CMMC, CMMC certification requirements must be flowed down to subcontractors at all tiers, when the subcontractor will process, store, or transmit Federal contract information (FCI) or CUI, based on the sensitivity of the unclassified information flowed down to each of the subcontractors in accordance with the proposed CMMC 2.0 requirements,” the proposed rule reads. 

Thursday’s proposed rule includes a three-year rollout plan in which it’ll only affect a subset of DoD contracts, stating that during that time “the CMMC requirement will be included only in certain contracts for which the CMMC Program Office directs DoD component program offices to include a CMMC requirement.” 

After those three years, however, department component program offices will have to “include a requirement for CMMC solicitations and contracts that will require the contractor to process, store or transmit FCI or CUI on contractor information systems during contract performance.”

The comment period for the newly proposed rule will end Oct. 15. If the rule is approved by the Office of Information and Regulatory Affairs in a timely manner, the phased rollout of CMMC 2.0 could be on track to start at the beginning of next year — a goal David McKeown, Deputy Chief Information Officer for Cybersecurity and Senior Information Security Officer at the Department of Defense, set earlier this year