Proposed CMMC rule includes requirement waiver requests

The U.S. Department of Defense has unveiled a proposed Cybersecurity Maturity Model Certification rule that would require federal contractors to attain a particular cybersecurity level by contract awarding but would also enable the waiving of certain evaluation requirements involving federal contract information disclosure or creation, reports DefenseScoop. "Once CMMC requirements have been implemented in the [Defense Federal Acquisition Regulation Supplement], the solicitation will identify the specific CMMC Level required for that procurement... In such cases, the solicitation will not include a CMMC assessment requirement. In some scenarios, DoD may elect to waive application of CMMC third party assessment requirements to a particular procurement. Such waivers may be requested and approved by the Department in accordance with DoD's internal policies and procedures," said the proposed rule. Such a proposed rule comes after concerns regarding the lack of waivers were raised in previous CMMC proposals. Comments for the proposed rule will be accepted until Feb. 26, 2024.