Cyber Compliance Rule Approved by Trump Administration: Ready or Not
The Defense Department has finalised the CMMC program rule in Title 32 last year, defining levels, scope, and a phased plan across the defense supply chain. However, the CMMC has not yet been integrated into contracts.
Following the clearance by the Office of Information and Regulatory Affairs (OIRA), the rule will be published in the Federal Register and will name an effective date, marking the start of Phase 1 of the rollout.
Once Title 48 comes into force, contracting officers will have the authority to insert the DFARS clause that specifies the required CMMC level. They will also be able to check the Supplier Performance Risk System (SPRS) for self-assessment scores or certifications before award and before exercising options. Any missing or stale status will be treated as a gating issue.
From the effective date forward, the Department intends to include Level 1 or Level 2 self-assessment requirements as a condition of award where applicable. The effective date should be treated as a bid gate, as it marks the point where CMMC becomes eligibility for contracts.
The exact effective date for the rule, following its publication in the Federal Register, is expected to be between 1 to 60 days after publication.
The Defense Federal Acquisition Regulation Supplement (DFARS) provides the contract clauses used in solicitations and awards for cybersecurity. With the acquisition rule in Title 48, it closes the gap by authorising contracting officers to require a specific CMMC level in solicitations and awards and by enabling verification of status in government systems.
The SPRS, the Pentagon's authoritative system for supplier risk data, will be used to confirm NIST SP 800-171 assessment scores and CMMC status or affirmations before award and at option exercises.
As of now, there is no information available about the latest publication date of the rule in Title 48 of the Code of Federal Regulations regarding cybersecurity requirements for contractors, nor its publication date in the Federal Register.
