This week, ACEC filed comments on the proposed rule adding significant requirements for federal contractors working with the Department of Defense. Known as Cybersecurity Maturity Model Certification or CMMC, the rules have been in development since 2019, with an extensive review by the Biden Administration, which led to a reduction in CMMC compliance levels from its original five down to three.
CMMC 2.0, as it is now known, will require defense contractors to certify their IT security against third-party assessors. The purpose of the CMMC is to verify that the information systems used by Defense Department contractors, including A/E firms, are compliant with the mandatory information security requirements. The goal is to ensure appropriate protection of controlled unclassified information (CUI) and federal contract information (FCI) that is stored and processed by industry partners.
ACEC members have worked closely with their DoD clients to understand how CMMC’s implementation will impact their firms. In our comments, we raise concerns over the inconsistency with applying CUI, the expected costs to implement the requirements, as well as how international partners would be impacted when partnering with American firms. Noting that the A/E industry works alongside many external partners, it is a responsibility and burden that must be spread throughout the supply chain.
Following a review of the public comments, the Department of Defense is expected to release a final rule no sooner than the Fall of 2024, with a phased implementation to follow in the Spring of 2025.