Tom Conkle’s Post

"(b) Requirements. The Contractor shall— (1)(i) Have a current CMMC certificate or current CMMC self-assessment at the following 𝐂𝐌𝐌𝐂 𝐥𝐞𝐯𝐞𝐥, 𝐨𝐫 𝐡𝐢𝐠𝐡𝐞𝐫: __________ [Contracting Officer to fill in the required CMMC level]; and ... (2) Maintain the CMMC level required by this contract for the duration of the contract for all information systems, used in performance of the contract, that process, store, or transmit 𝐅𝐞𝐝𝐞𝐫𝐚𝐥 𝐜𝐨𝐧𝐭𝐫𝐚𝐜𝐭 𝐢𝐧𝐟𝐨𝐫𝐦𝐚𝐭𝐢𝐨𝐧 (𝐅𝐂𝐈) 𝐨𝐫 𝐜𝐨𝐧𝐭𝐫𝐨𝐥𝐥𝐞𝐝 𝐮𝐧𝐜𝐥𝐚𝐬𝐬𝐢𝐟𝐢𝐞𝐝 𝐢𝐧𝐟𝐨𝐫𝐦𝐚𝐭𝐢𝐨𝐧 (𝐂𝐔𝐈); (3) Only process, store, or transmit data on information systems that have a CMMC certificate or CMMC self-assessment 𝐚𝐭 𝐭𝐡𝐞 𝐂𝐌𝐌𝐂 𝐥𝐞𝐯𝐞𝐥 𝐫𝐞𝐪𝐮𝐢𝐫𝐞𝐝 𝐛𝐲 𝐭𝐡𝐞 𝐜𝐨𝐧𝐭𝐫𝐚𝐜𝐭, 𝐨𝐫 𝐡𝐢𝐠𝐡𝐞𝐫;" ----------- This is from the proposed 48CFR #CMMC Rule. The text above would be placed into contracts as CMMC rolls out (unless modified in response to comments). Do you see the problem with the wording? If the contracting officer fills in "Have a current CMMC certificate or current CMMC self-assessment at the following CMMC Level, or higher: 𝐂𝐌𝐌𝐂 𝐋𝐞𝐯𝐞𝐥 2"... then (2) and (3) essentially say that the contractor will keep 𝐚𝐥𝐥 𝐝𝐚𝐭𝐚 related to the contract (𝐢𝐧𝐜𝐥𝐮𝐝𝐢𝐧𝐠 𝐅𝐂𝐈) on a CMMC Level 2 system. Is it a mistake? I hope so. The language goes against all verbal explanations given so far by the DoD. Remember, all this time, they've been saying that a CMMC Level 1 system is for FCI, and a CMMC Level 2+ system is for CUI. I would have expected language like "will maintain CMMC Level 1 on all systems that store, process, or transmit FCI, and will maintain CMMC Level ___(2 or 3)__ on all systems that store, process, or transmit CUI for this contract." If the DoD does plan to go forward with that language, it poses a major problem for companies that plan to build a VDI enclave to handle CUI while keeping FCI on their main corporate system (with a Level 1 self-assessment). I don't see any instruction to C3PAOs to verify the location of FCI during CMMC Level 2 assessments however. So dishonest companies would be able to self-attest that all of the FCI related to the contract is kept in the CMMC Level 2 system without worrying about a private sector assessor snooping around. Credit to Vincent Scott for pointing out this problem a few days ago. Want to read the rule yourself? It is published in the Federal Register here: https://lnkd.in/eUbKc8BH The DoD is accepting comments until 10/15/2024. ------ Kieri Solutions - Authorized C3PAO offers CMMC Level 2 assessments and preparation services.

#CMMC Status Update. [Revised!] Last week, OMB released the 2024 Spring Regulatory Agenda. There are several items of interest. Regarding the 32 CFR rule, Rulemaking Identification Number (RIN) 0790-AL49, for which a Proposed Rule was published for comments on Dec. 26, 2023, the news is that DoD expects "Final Action" in November 2024. The abstract for this rule states that DoD is "finalizing requirements to ensure defense contractors ... [have] implemented required security measures" for FCI and CUI security requirements "for certain priority programs." https://lnkd.in/gMNMCKbS Another OMB report concerns the "companion" 48 CFR Rule. Here, for RIN 0750-AK81, the new Agenda anticipates publication of a Notice of Proposed Rulemaking (NPRM) in August 2024. If this date is held, we can expect a comment period of at least 60 days, after which DoD would "adjudicate" the comments as received. https://lnkd.in/gRQ28buW Another entry, for RIN 0750-AL68), which also concerns 48 CFR content, is to implement the SP 800-171 "DoD Assessment Methodology," which "enables DoD to assess contractor implementation" of SP 800-171 requirements. This is subject to "Final Action" with an identified date of October 2024. https://lnkd.in/gVRE2c8S The 48 CFR rule will contain the key contract clauses that (when present) obligate DoD bidders and contractors to conform to CMMC attestation and assessment requirements. If the schedule holds, this suggests that both "wings" of the CMMC regulations will be finalized by the 1st Quarter of 2025, so that the program will move from preparation to operation. I anticipate a careful rollout -- though the exact rollout priorities and period haven't yet been communicated to industry. Also -- if you're curious about how CMMC will be affected by the Supreme Court's decision in Loper Bright, overturning the Chevron doctrine, please have a look at my posts from last week. I do not expect the CMMC rulemaking to be derailed by demise of Chevron. Because CMMC is implemented contractually, Chevron may create neither new nor different legal grounds to challenge what is, actually, procurement rulemaking.

𝐓𝐡𝐞 𝐂𝐨𝐧𝐭𝐫𝐚𝐜𝐭𝐨𝐫 𝐬𝐡𝐚𝐥𝐥 - - (these quotes from the proposed 48CFR Rule that is releasing tomorrow) "Have a current CMMC certificate or current CMMC self-assessment at the following CMMC level, or higher: ____________ [Contracting Officer to fill in the required CMMC level];" "Only process, store, or transmit data on information systems that have a CMMC certificate or CMMC self-assessment at the CMMC level required by the contract, or higher;" "Notify the Contracting Officer within 72 hours when there are any lapses in information security or changes in the status of CMMC certificate or CMMC self-assessment levels during performance of the contract; " "Ensure all subcontractors and suppliers complete and maintain on an annual basis, or when changes occur in CMMC compliance status (see 32 CFR part 170), an affirmation of continuous compliance with the security requirements associated with the CMMC level required for the subcontract or other contractual instrument for each of the contractor information systems that process, store, or transmit FCI or CUI and that are used in performance of the contract. " "Prior to awarding a subcontract or other contractual instrument, ensure that the subcontractor has a current CMMC certificate or current CMMC self-assessment at the CMMC level that is appropriate for the information that is being flowed down to the subcontractor." Also introduces unique IDs for assessed information systems, to prevent gaming the system. "(2) Contracting officers shall require the apparently successful offeror to provide the DoD UID(s) applicable to each of the contractor information systems that will process, store, or transmit FCI or CUI and that will be used in performance of the contract.”   “DoD unique identifier means an alpha-numeric string of ten characters assigned within the Supplier Performance Risk System to each contractor assessment, with the first two characters indicating the confidence level of the assessment.” Link to text: https://lnkd.in/dnpwiStQ #CMMC

Good info here on the 48CFR rule that drops tomorrow and is then followed by a 60-day comment period. There are changes to DFARS parts 204, 212, 217, and 252 - including changes to 252.204-7021 for contractor compliance with the requisite CMMC Level requirements. Of note, clause 252.204-7012 appears unchanged. https://lnkd.in/gabgWQzh

In a final rule published on 11/15/2024, the DoD amended the DFARS to clarify the contract clauses and solicitation provisions applicable to FAR Part 12 commercial product and commercial service acquisitions and commercially available off the shelf (COTS) item subcontracts. Last year, the DoD published a proposed rule to amend the DFARS by identifying and eliminating certain contract clause requirements applicable to commercial product and service acquisitions and COTS item subcontracts, unless the requirement is required by law or executive order or determined by the Secretary of Defense as required. In this final rule, the DoD decided not to implement some of the proposed changes, such as restoring DFARS 252.203-7005, “Representation Relating to Compensation of Former DoD Officials”, to the list of provision and clauses applicable to commercial products and commercial services. Another major change is that a number of cybersecurity requirements are listed as inapplicable to COTS item acquisitions, including DFARS 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting”. The DoD explained that the purpose of this final rule is to clarify the applicability of certain provisions and clauses and reduce the compliance burden on government contractors with commercial product and services contracts. With these changes to the lists of applicable and inapplicable solicitation provisions and contract clauses, businesses with commercial government contracts, especially for COTS items, should carefully review contracts and solicitations to make sure that the applicable clauses are in their contract. As always if you have any questions or concerns about government contracts, commercial products or services contracts, or COTS items acquisition, feel free to reach out to Ward and Berry! Read the final rule for yourself at https://lnkd.in/e6CwSzV3. Ryan Berry Daniel Ward Ryan Bradel Amanda Merced Tyson Marx Jennifer Morris Michael Hatch Brian Yu Chelsea Cruz Nicholas Perry Matthew Saliman #FARPart12 #commericalitem #COTS #DOD #DFARS #DFARSamendment #smallbusiness #governmentcontracting #govcon  

Defense & Government Contract Manufacturers alert! The Final CMMC rule is published and is effective December 16, 2024. Going forward CMMC level 1, 2, or 3 may be a Condition of Award in new contracts and new option years. CMMC Contract clause DFARS 252.204-7021 will require the development of a System Security Plan (SSP). - Defense contractors & subcontractors processing, storing, or transmitting Federal Contract Information (FCI) are subject to CMMC Level 1 (17 Controls) - Defense contractors & subcontractors processing, storing, or transmitting Controlled Unclassified Information (CUI) are subject to CMMC Level 2 (110 Controls) or 3 (Level 2 Cert + 24 Controls from NIST 800-172) - The applicability of CMMC Level for procurement will be determined by the Department of Defense (DoD) - Subcontractor flow-down is a requirement For more information, check out this article. https://hubs.la/Q02YYhzP0 There are lots of considerations and detail in this Final Rule. To be sure your systems and processes support your journey, contact Godlan!

Key quotes from the new 48CFR Rule for #CMMC. This rule is the one that goes into new and renewing contracts and requires having a CMMC certificate or self-assessment upon contract award. They tightened up the language quite a bit. On quick scan, it looks well done. The first 40 pages give a lot of information about the DoD's thought process on CMMC, including some technical clarifications like whether joint ventures need to be individually certified, and whether talking about CUI over the phone is in scope.

Are you a government contractor with commercial service or product contracts? If so, please read below about the DoD's latest amendment to the DFARS related to FAR Part 12 acquisitions!

What you should know!! New DOD Rules on Contractor Reporting and Mitigating Foreign Ownership, Control or Influence (FOCI) for Unclassified Contracts... #foci #dod #apexaccelerator #smallbusiness #governmentcontracting https://lnkd.in/eFMvDWrF

Defense & Government Contract Manufacturers alert! The Final CMMC rule is published and is effective December 16, 2024. Going forward CMMC level 1, 2, or 3 may be a Condition of Award in new contracts and new option years. CMMC Contract clause DFARS 252.204-7021 will require the development of a System Security Plan (SSP). - Defense contractors & subcontractors processing, storing, or transmitting Federal Contract Information (FCI) are subject to CMMC Level 1 (17 Controls) - Defense contractors & subcontractors processing, storing, or transmitting Controlled Unclassified Information (CUI) are subject to CMMC Level 2 (110 Controls) or 3 (Level 2 Cert + 24 Controls from NIST 800-172) - The applicability of CMMC Level for procurement will be determined by the Department of Defense (DoD) - Subcontractor flow-down is a requirement For more information, check out this article. https://hubs.la/Q02YY7130 There are lots of considerations and detail in this Final Rule. To be sure your systems and processes support your journey, contact Godlan!