Proposed rule would allow DOD program managers to request waivers for CMMC requirements

Under a proposed rule published Tuesday, the Department of Defense would allow program managers to seek waivers for Cybersecurity Maturity Model Certification assessment requirements.

CMMC is the Pentagon’s ambitious framework to more thoroughly assess and accredit any contractors that handle its controlled unclassified information (CUI) on their systems, ensuring they meet certain National Institutes of Standards and Technology cybersecurity requirements included in NIST 800-171 and 800-172. After reforming the program in 2021, the DOD has been working on a final rule that will mandate those contractors that work with the department’s CUI be CMMC certified, or risk losing its business.

Under the proposed rule published in the Federal Register on Dec. 26, contractors must achieve a specified cybersecurity level by the time of contract award. However, assessment requirements might not be applicable in certain cases.

“Once CMMC requirements have been implemented in the [Defense Federal Acquisition Regulation Supplement], the solicitation will identify the specific CMMC Level required for that procurement,” the proposed rule states. “To implement a phased transition, selection of a CMMC Level will be based upon careful consideration of market research and the likelihood of a robust competitive market of prospective offerors capable of meeting the requirement. In some scenarios, DoD may elect to waive application of CMMC third party assessment requirements to a particular procurement. In such cases, the solicitation will not include a CMMC assessment requirement. Such waivers may be requested and approved by the Department in accordance with DoD’s internal policies and procedures.”

It would permit program managers “to seek approval to waive inclusion of CMMC requirements in solicitations that involve disclosure or creation of [federal contract information] or CUI as part of the contract effort. Such waivers will be requested and approved by DoD in accordance with internal policies, procedures, and approval requirements.”

The document does not spell out the internal processes or requirements for granting waivers.

An interim rule issued in 2020 did not include those waiver provisions.

The proposed final rule released Tuesday notes that the Pentagon received feedback about previous CMMC proposals.

“Many commenters were concerned about the lack of waivers or [plan of action and milestones]. Several commenters commented that not allowing waivers is impractical and will impact the ability of businesses to qualify for contract award,” it states.

In 2021, the Pentagon indicated that its plans for CMMC 2.0 included the development of “a selective, time-bound waiver process, if needed and approved.” However, it did not specify that program managers would be responsible for requesting waivers.

The Pentagon is seeking public feedback on the proposed rule. Comments are due by Feb. 26, 2024.