International Stability Operations Association (ISOA)’s Post

As some of you know, I am fond of the Notice and Comment rulemaking process! Here's a quick update on a DoD proposed rule related to DFARS, CMMC 2.0, and cybersecurity regulations for government contractors!

Attention all DoD contractors and subcontractors! DoD is proposing to amend the DFARS to incorporate solicitation and contractual requirements to implement CMMC 2.0, once finalized. DoD plans to revise the existing DFARS language to, among other changes, establish solicitation provisions for contracting officers to incorporate in contracts and require increased subcontractor/vendor screening and evidence of compliance. Why should you care? The proposed rule will impact DoD contractors and subcontractors at all tiers, because the 3-year CMMC phase-in may start as early as summer of 2025! During the 3-year phase-in period, DFARS 252.204-7021 will be included in all solicitations, including those for commercial items and services (except COTS), where there is a requirement for CMMC security protections. DoD Contractors who fail to meet these requirements will be ineligible for award of a new contract or the exercise of an option under an existing contract. Under the new DFARS clause, contractors will have to flow down these requirements to subcontractors and vendors at all tiers. This means that contractors should start now to modify internal compliance programs, include vendor screening for CMMC certifications, and change processes and procedures to accommodate the CMMC requirements. Got Questions? Not sure if you’re ready for CMMC or compliance with any of the cybersecurity regulations? Ward & Berry recently expanded its cybersecurity and technology bench of skilled professionals by adding Jennifer Morris as a new Partner to help companies like yours understand and comply with the new CMMC and DFARS requirements. Jennifer has over 24 years of experience working with defense contractors in technology and cybersecurity. She has served as counsel to multiple DoD CIO offices, including as a senior acquisition/procurement counsel to the Navy, acquisition/procurement counsel to the CIA, and as a US Army Reserves JAG Officer. More importantly, Jennifer has spent numerous years working in-house for technology and cybersecurity companies helping them implement and streamline compliance programs, win new government contracts, and achieve increased revenue/growth. Reach out to Jennifer Morris and the Ward & Berry team at large for any cybersecurity questions you may have! And remember – if you have something to say about the proposed rule, SPEAK NOW – comments are due October 15, 2024! To make comments and read the proposed Rule, go to: https://lnkd.in/gS3T7cB2 and select "Public Comments." You can also email osd.dfars@mail.mil. #CMMC #DoD #cybersecurity #NIST #CUI #FCI #govcon #governmentcontractors #defensecontractors #DIB #DFARS #WID #WomenInDefense #WomenInTechnology #WIT Ryan Berry Daniel Ward Ryan Bradel Amanda Merced Jennifer Morris Tyson Marx Michael Hatch Brian Yu Chelsea Padgett Matthew Saliman Nicholas Perry

🚨 Important Update for Government Contractors: CMMC 2.0 Proposed Rule 🚨 The Department of Defense (DoD) has released a highly anticipated proposed rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate Cybersecurity Maturity Model Certification (CMMC) 2.0. This significant step aims to enhance cybersecurity across the Defense Industrial Base (DIB) while simplifying compliance for contractors. Key highlights include: • Contracting Process Changes: Contractors must now submit CMMC certification documents at the time of award. • Flow-Down Requirements: CMMC requirements will extend to all subcontractors handling sensitive information. • DoD Unique Identifiers: New identifiers will track compliance and enhance monitoring. As the proposed rule is set to take effect after the comment period closes on October 15, 2024, it's crucial for contractors to start preparing now. Learn more about the CMMC's evolution, key provisions, and what this means for your compliance strategy in our latest article by Christian Hansen and Rich Weber. #CMMC #Cybersecurity #GovernmentContractors #Compliance #MossAdams

🚨 Important Update for Government Contractors: CMMC 2.0 Proposed Rule 🚨 The Department of Defense (DoD) has released a highly anticipated proposed rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate Cybersecurity Maturity Model Certification (CMMC) 2.0. This significant step aims to enhance cybersecurity across the Defense Industrial Base (DIB) while simplifying compliance for contractors. Key highlights include: • Contracting Process Changes: Contractors must now submit CMMC certification documents at the time of award. • Flow-Down Requirements: CMMC requirements will extend to all subcontractors handling sensitive information. • DoD Unique Identifiers: New identifiers will track compliance and enhance monitoring. As the proposed rule is set to take effect after the comment period closes on October 15, 2024, it's crucial for contractors to start preparing now. Learn more about the CMMC's evolution, key provisions, and what this means for your compliance strategy in our latest article by Christian Hansen and Rich Weber. #CMMC #Cybersecurity #GovernmentContractors #Compliance #MossAdams

🚨 Important Update for Government Contractors: CMMC 2.0 Proposed Rule 🚨 The Department of Defense (DoD) has released a highly anticipated proposed rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate Cybersecurity Maturity Model Certification (CMMC) 2.0. This significant step aims to enhance cybersecurity across the Defense Industrial Base (DIB) while simplifying compliance for contractors. Key highlights include: • Contracting Process Changes: Contractors must now submit CMMC certification documents at the time of award. • Flow-Down Requirements: CMMC requirements will extend to all subcontractors handling sensitive information. • DoD Unique Identifiers: New identifiers will track compliance and enhance monitoring. As the proposed rule is set to take effect after the comment period closes on October 15, 2024, it's crucial for contractors to start preparing now. Learn more about the CMMC's evolution, key provisions, and what this means for your compliance strategy in our latest article by Christian Hansen and Rich Weber. #CMMC #Cybersecurity #GovernmentContractors #Compliance #MossAdams

🚨 Important Update for Government Contractors: CMMC 2.0 Proposed Rule 🚨 The Department of Defense (DoD) has released a highly anticipated proposed rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate Cybersecurity Maturity Model Certification (CMMC) 2.0. This significant step aims to enhance cybersecurity across the Defense Industrial Base (DIB) while simplifying compliance for contractors. Key highlights include: • Contracting Process Changes: Contractors must now submit CMMC certification documents at the time of award. • Flow-Down Requirements: CMMC requirements will extend to all subcontractors handling sensitive information. • DoD Unique Identifiers: New identifiers will track compliance and enhance monitoring. As the proposed rule is set to take effect after the comment period closes on October 15, 2024, it's crucial for contractors to start preparing now. Learn more about the CMMC's evolution, key provisions, and what this means for your compliance strategy in our latest article by Christian Hansen and Rich Weber. #CMMC #Cybersecurity #GovernmentContractors #Compliance #MossAdams

Many contractors in the Defense Industrial Base (DIB) are finding it difficult to meet the cybersecurity requirements outlined by the Department of Defense (DoD). A recent study shows that most contractors are not ready, despite the framework being announced in 2021. Currently, contractors must report a self-assessment score under the Defense Federal Acquisition Regulation Supplement (DFARS), using the 110 controls in NIST SP 800-171. However, only 41% of respondents have completed the assessment, with an average score of -12. Although 89% of the contractors operate in critical infrastructure sectors, just 4% say they are ready for certification. Contractors of all sizes report difficulties in implementing the required controls. Gaps in basic cybersecurity practices remain a concern. While 80% of contractors have experienced cyber incidents, only 42% conduct incident response exercises each year. System security plans are in place at just over half of the companies, and fewer than 50% have created action plans to address known issues. Only 42% of respondents reported completing their annual DFARS assessments. These findings unfortunately align with a similar study conducted in 2022. That report found 46% of contractors had completed the self-assessment, with participants averaging a score of -23. Minimal progress suggests contractors continue to struggle, even after several years of preparation. As the CMMC rollout approaches, this lack of readiness raises concerns for both the DoD and contractors. If these gaps remain unresolved, contractors risk losing eligibility for future contracts. #cybersecurity #CMMC #DoD

🚨 BREAKING: Big News for the Defense Industry and Contractors! 🚨 After what feels like an eternity, the Department of Defense's (DoD) long-awaited Cybersecurity Maturity Model Certification (CMMC) is finally moving forward! This crucial cybersecurity compliance policy has cleared its final regulatory hurdle and is now headed to Congress for a 60-day review. The Office of Information and Regulatory Affairs (OIRA) cleared the final rule on Sept. 13, meaning no more changes will be made unless Congress or the President steps in (which is highly unlikely). If no action is taken, CMMC becomes law, affecting ALL contractors and companies working in the defense space. Why should this matter to you? For those in the defense industry, this is a game-changer. Compliance with CMMC will become mandatory for any organization doing business with the DoD. Cybersecurity is no longer a back-office concern; it's a frontline priority that will directly impact your contracts and business operations. Failure to meet these standards could mean lost opportunities and limited access to critical defense work. This is your call to action—get your cybersecurity house in order! Don’t wait until this becomes law. Now is the time to assess, upgrade, and prepare your security protocols to ensure you’re CMMC-compliant. The clock is ticking! Stay informed, stay compliant, and stay competitive. 🔒 #CMMC #Cybersecurity #DefenseIndustry #DoD #Compliance #CyberThreats #CMMCcompliance #defense #DefenseIndustry

Moving forward with mandatory cybersecurity compliance for a stronger and safer digital posture!

CMMC, or Cybersecurity Maturity Model Certification, is a framework for improving the cybersecurity posture of firms collaborating with the United States Department of Defense (DoD). It presents a multi-tiered approach to cybersecurity, spanning from basic hygiene practices to advanced capabilities. As a DoD contractor, you should be concerned about CMMC for various reasons: 1. Good chance CMMC will go into law in 2024 and many DoD contracts (and other gov agency contracts) will make this part of their contract requirements. If you are not CMMC-compliant, you will miss out on the opportunity ($$$). 2. You can't get certified over night. You need time. On average it takes organizations at least 12 months to get compliant. Wait times for assessors is 9-15 months. 3. Planning for budgetary impacts. If you do not currently have a security compliance program in place, you must determine whether developing a team internally, externally, or a combination of the two is appropriate. Keep in mind that if you work with external partners, they will most likely need to be CMMC compliant as well. Additional costs will include the cost of the audit and any additional tools required. CMMC is an important program for improving cybersecurity across the defense industry. Complying with CMMC criteria is not only a duty, but also a strategic decision to protect sensitive information, maintain contracts, and remain competitive in the defense sector. As an FYI, BlueSteel Cybersecurity are DoD contractors assisting other DoD contractors in becoming CMMC-ready. We understand the landscape and have firsthand experience in the trenches. If you are a federal contractor, contact me for additional resources to help your firm achieve CMMC compliance. #CMMC #DoDContractors #Cybersecurity.