DoD Proposes New CMMC Rule for Defense Contracts

Amendment Requires CMMC Inclusion in All Pentagon Solicitations and Contracts

The Department of Defense (DoD) has officially released a proposed rule that will integrate Cybersecurity Maturity Model Certification (CMMC) requirements into the contracting process. This new regulation is part of a broader effort to ensure that defense contractors adhere to stringent cybersecurity standards when handling sensitive but unclassified information. The CMMC requirements will be introduced through a three-year phased rollout, gradually tightening the cybersecurity expectations for contractors within the defense supply chain.

What Is the New CMMC Rule?

The proposed amendment to the Defense Acquisition Regulations Supplement (DFARS) mandates that CMMC requirements be integrated into all applicable Pentagon solicitations and contracts. Contractors will be required to either self-assess their cybersecurity posture or obtain third-party certification, depending on the sensitivity of the information they handle. Notably, the new rules require contractors to submit their CMMC assessment or certification at the time of contract award to reduce risks for both the contractor and the DoD.

Since its initial announcement in 2019, the CMMC framework has evolved into its current form, known as CMMC 2.0. This version includes three certification levels, each corresponding to the sensitivity of the information managed by the contractor. Level 1 and some Level 2 contractors can self-assess their compliance, while more sensitive Level 2 contractors must be evaluated by certified third-party assessors. All Level 3 assessments are to be conducted by government assessors.

Additionally, the proposed rule requires the Defense Department to inform offerors of the specific CMMC level needed for a given solicitation and mandates that the successful offeror's CMMC certification or self-assessment results be posted in the department’s Supplier Performance Risk System before the contract is awarded.

Why This Matters to MSPs

Managed Service Providers (MSPs) that support defense contractors will be directly impacted by these new CMMC rules. MSPs must now ensure that their clients are fully compliant with the appropriate CMMC level well before contract award dates. Delays in obtaining necessary certifications could jeopardize contract opportunities, making it essential for MSPs to proactively manage and bolster their clients’ cybersecurity postures.

MSPs that serve the defense sector must stay ahead of these regulations, not only to support their clients but also to position themselves as reliable partners in navigating the increasingly complex cybersecurity landscape. Those who can guide their clients through the intricacies of CMMC compliance will find themselves at a competitive advantage in securing and retaining business.

Want to learn more?

National Defense Magazine: New Proposed Rule Lays Out CMMC Guidelines for Defense Contracts
U.S. Department of Defense: Frequently Asked CMMC Questions
CISA: Cybersecurity Maturity Model Certification 2.0

How Compliance Scorecard Can Help

Compliance Scorecard is here to help MSPs navigate this critical transition. Our platform is designed to streamline the compliance process, making it easier for MSPs to assess, manage, and document their clients' cybersecurity practices in alignment with CMMC requirements. With our tools, you can ensure your clients are audit-ready and fully compliant, reducing the risk of delays or contract losses.

Leverage Compliance Scorecard to stay on top of the evolving CMMC requirements, provide valuable guidance to your clients, and strengthen your role as a trusted partner in the defense contracting space.