The Department of Defense has started soliciting comments on a proposed rule to implement the contractual requirements related to the second iteration of the Cybersecurity Maturity Model Certification program.
According to a Federal Register notice published Thursday, DOD introduced the proposed rule as an amendment to the Defense Federal Acquisition Regulation Supplement and to partially implement a section of the fiscal year 2020 National Defense Authorization Act that directed the DOD secretary to establish a framework to improve the defense industrial base’s cybersecurity posture.
CMMC 2.0 provides a framework for the assessment of a contractor’s implementation of cybersecurity requirements. The program also seeks to improve the protection of unclassified information within the DOD supply chain.
According to the notice, the proposed rule includes amendments requiring the results of a CMMC self-assessment or certificate at the time of award and at the level required for all systems that store, process or transmit controlled unclassified information or federal contract information.
The measure also includes a requirement for contracting officers to work with the program office to verify the results of a CMMC certificate or self-assessment in the Supplier Performance Risk System prior to awarding a contract or exercising an option.
Comments on the proposed policy are due Oct. 15.