Cybersecurity Requirements for Defense Contractors

On August 15, the Department of Defense (DoD) published a second proposed rulefor the Cybersecurity Maturity Model Certification (CMMC) program that places unified cybersecurity and information security requirements on DoD contractors and subcontractors. As AGC previously reported, the first proposed rule issued in December 2023 focused on the CMMC program and corresponding cybersecurity requirements for DoD prime and subcontractors. This latest proposed rule supplements the first proposed rule. Importantly, it contains DFARS revisions for contract clause requirements and additional guidance to federal contracting officers.

The DoD proposes to implement the CMMC requirements over four phases, starting with the inclusion of CMMC Level 1 and Level 2 Self-Assessment requirements in all applicable DoD solicitations. This will begin on the effective date of the final rule and will be a condition of contract award. CMMC Level 3 is expected roughly six months to a year after implementation of the final rule. The full rollout, which will see CMMC program requirements included in all applicable solicitations and contracts, is expected to occur sometime in 2027.

AGC has long communicated the difficulty many contractors and their subcontractors have had implementing these cybersecurity requirements and the challenges of that the CMMC model brings. AGC of America has previously filed commentson CMMC as it was developed and will file comments on the new proposed rule.

For more information, contact Jordan Howard at (703) 837-5368.