INFOSEC ALERT - NOTICE TO THE DEFENSE INDUSTRIAL BASE *UPDATED*

*UPDATED* SPECIAL NOTICE: CMMC PROGRAM

Federal Organization Issuing Notice: U.S. Army Corps of Engineers (USACE), Headquarters, Directorate of Contracting

Description: USACE is awaiting issuance of the final DFARS Clause prior to fully implementing the Cybersecurity Maturity Model Certification (CMMC) Program, which establishes requirements for defense contractors and subcontractors to implement prescribed cybersecurity standards for safeguarding Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

The CMMC Program also establishes requirements for contractors and subcontractors to conduct an assessment of compliance with the applicable cybersecurity standard for contractor information systems that: process, store, or transmit FCI or CUI; provide security protections for systems which process, store, or transmit CUI; or are not logically or physically isolated from systems which process, store, or transmit CUI.

The CMMC Program is designed to ensure defense contractors are properly safeguarding FCI and CUI that is processed, stored, or transmitted on defense contractor information systems. FCI and CUI must be protected to meet evolving threats and safeguard nonpublic, unclassified information that supports and enables the warfighter.

The CMMC Program provides a consistent methodology to assess a defense contractor's implementation of required cybersecurity requirements. The CMMC Program utilizes the security standards set forth in the 48 CFR 52.204-21; National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Basic Safeguarding of Covered Contractor Information Systems, Revision 2, February 2020 (includes updates as of January 28, 2021) (NIST SP 800-171 R2); and selected requirements from the NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171, February 2021 (NIST SP 800-172 Feb2021), as applicable (see table 1 to § 170.14(c)(4) for requirements, see § 170.2 for availability of NIST publications).

The CMMC Program balances the need to safeguard FCI and CUI and the requirement to share information appropriately with defense contractors in order to develop capabilities for the DoD. The CMMC Program is designed to ensure implementation of cybersecurity practices for defense contractors and to provide DoD with increased assurance that FCI and CUI information will be adequately safeguarded when residing on or transiting contractor information systems.

The CMMC Program creates no right or benefit, substantive or procedural, enforceable by law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.

Preliminary guidance indicates that October 1, 2025 will be the go LIVE date for the CMMC 2.0 Program; however the actual, official date is still pending. Once final, USACE solicitations will specify the level certification required for performance under the contract. Direct all questions relating to the CMMC requirement for any action issued by the USACE to the Contracting Officer and Contract Specialist included on the SAM.gov publication announcement.

Reference: https://www.ecfr.gov/current/title-32/subtitle-A/chapter-I/subchapter-G/part-170