The US Department of Defense Cybersecurity Final Rule was published October 15 with phased implementation to start early next calendar year. The purpose of the contractual requirement is to ensure that Defense contractors and subcontractors have the proper cybersecurity protections in place to keep information safe from potential cyber threats.
Does this new rule impact your business? Firms providing commercial off the shelf (COTS) products without modifications are exempt from the requirements. For other Defense contractors, at all tiers and of all sizes, the revised CMMC requirements may start showing up in your contracts in the future. Once CMMC rules become effective, certain DoD contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) FCI and CUI will be required to achieve a particular CMMC level as a condition of contract award. The DoD estimates that 8,350 small and large firms will be required to meet a CMMC Level 2 third-party assessment requirement. CMMC requirements will be implemented using a 4-phase implementation plan over a three-year period. Being caught off guard with the requirement may have significant impacts to your ability to continue to compete in the Defense marketplace.
Not sure what to do next? Meet with your local APEX Accelerator to discuss your Defense contracting goals. Unless you currently handle CUI and are likely to handle in the future, we recommend your firm create a plan to at least comply with CMMC Level 1 which involves a self-assessment related to your firm’s ability to secure federal contracting information that is processed, stored, or transmitted while performing on contracts. The firm must comply with 15 security requirements described in FAR 52.204-21 and flow down these requirements to subcontractors except those providing commercial off the shelf items. Learn more about making your firm more cybersecure or about the contractual requirements through Project Spectrum, offering no-cost training on cybersecurity requirements, CMMC, a CMMC Level 1 Self Assessment Tool, CUI Discovery Questionnaire and more.