CFR Subparts 204, 212, 217, and 252 Overview

On August 15, 2024, The Department of Defense (DoD) published for public comment the DoD’s proposed amendments to 48 Code of Federal Regulation (CFR) Chapter 2 Defense Acquisition Regulations System (DFARS) Subparts 204, 212, 217, and 252 (DFARS Case 2019-D041/Docket DARS-2020-0034). With this call for public comment, DoD is one step closer to being able to write into contracts, task orders, and delivery orders the specific Cybersecurity Maturity Model Certification (CMMC) requirements that vendors must meet.

These proposed amendments are what some people refer to as the Title 48 Rule for CMMC. With these amendments, DoD has published what it anticipates will become authoritative guidance to DoD contracting officers. The guidance will, to a lesser degree, also affect members of the Defense Industrial Base (DIB) implementing CMMC.

This set of amendments does not change or adjust the rules most of us think about when we hear ‘CMMC’—those fall under Title 32 CFR National Defense Part 170 CMMC. Think of Title 32 CFR as the many definitions and authorities to create the CMMC program. Title 48 CFR defines the Federal Acquisition Regulation (FAR). Chapter 2 of the FAR defines what is commonly known as the DFAR (Defense Federal Acquisition Regulation Supplement). The DFAR provides all the DoD-specific guidance to DoD contracting officials and acquisition specialists so they can keep their respective organizations consistent across the vastness of the DoD. All the proposed changes lie within the DFAR chapter of the FAR.

So, what does this mean for members of the DIB? It means there are just under 45 days (15 October 2024) to submit comments that can improve the contractual language of the future.

What are the important takeaways?

1.    Clarity for what is CUI is not forthcoming

The rules repeat the definition of CUI in 32 CFR 2002.4(h). As noted in 32 CFR Part 170’s public comments, the definition leaves significant room for ambiguity and interpretation. This set of rules does not make an effort to reduce the ambiguity.

2.    Misuse of CUI remains unaddressed

These rules do not address the potential or likely misuse (e.g., missing labels, incorrectly applied labels) of CUI. There is always the implicit threat of contractual remedies, but no paths of influence or recourse otherwise offered by DoD to contracting officials, primes, or subcontractors.

3.    With no definition, ‘lapse’ is open for interpretation

There is a requirement for members of the DIB to notify contracting officer(s) holding their CUI-related contracts when the vendors have ‘…lapses or changes in CMMC certification levels…’.

The rule leaves ‘lapse’ undefined in meaning and in scope. Too loose a definition and contracting officers will get inundated with ‘lapse’ reports for which they are ill prepared to judge the severity. Too broad a scope would also start cascading reports flowing upwards from subcontractors through primes to DoD.

4.    ‘Change in assessment level’ is open for interpretation

There is a requirement for assessed organizations to report changes in their self-assessment levels during the performance of their contract. Day to day maintenance activities can lead to changes in an assessment level, as can the release of patches to what were formally FIPS 140-2 validated cryptographic modules. Is it likely that DoD expects these types of changes to be reportable to contracting officers? To Primes?

5.    Inferred reporting and enforcement obligations leave DIB vendors guessing

Federal Contract Information (FCI) and CUI security requirements flow from primes to subcontractors. The newly published rules leave substantial room for readers to infer that primes have enforcement obligations for CMMC violations—subcontractors unable to gain or maintain their CMMC certification.

6.    There is no apparent use of longitudinal incident or lapse data

CMMC’s shift to annual reporting and continuous monitoring is a stepwise improvement from triennial self-reporting required in DFARS 7012. What remains unclear is whether contracting officials will integrate reported incidences, lapses, changes in CMMC certification and their respective trends in to decisions to award, renew or extend contracts, task orders, or delivery orders. Nor is it clear that contracting officials will make those data points available to the requesting program office or requesting activity.

Conclusion

Preventing unauthorized disclosure of CUI through adherence to CFR requirements is only part of our responsibility as DIB vendors. Another component of that responsibility is to make use of public comment opportunities to make the rules within the CFR more feasible, actionable, achievable, sustainable and meaningful. Planet encourages every member of the DIB to send their cogent recommendations to DoD for 48 CFR today! And don’t forget, 32 CFR part 170 will undergo additional changes and public comment periods when DoD moves from CMMC 2.0 to CMMC 2.1 and beyond!