Cybersecurity

When the effective date for DFARS Case 2019-D041 is published in a final rule, enacting the 48 CFR language and DFARS Clause 252.204-7021. This is currently estimated for August 2025, based upon the publishing of the proposed rule in August 2024.  Here is a link to the DFARS Case 2019-D0410 for the CMMC Clause:  https://www.federalregister.gov/documents/2024/08/15/2024-18110/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of

Phase 1 begins on the 48 CFR DFARS Clause 252.204-7021 effective date, and requires self-attestation for Level 1 and Level 2 on new contracts.

Phase 2 begins 1 year after the 48 CFR DFARS Clause 252.204-7021 effective date, and requires C3PAO certification for Level 2 on new contracts.

Phase 3 begins 2 years after the 48 CFR DFARS Clause 252.204-7021 effective date, and requires DIBCAC certification for Level 3 on new contracts and C3PAO certification for Level 2 on option exercises.

Phase 4 begins 3 years after the 48 CFR DFARS Clause 252.204-7021 effective date, and requires full implementation of all the above requirements on all new contracts and option exercises.

Specific to each contract, it will be based on the information flowed down to your company from HII. If we flow down FCI data, Level 1 will be required.  If we flow down CUI data, Level 2 will be required.

Per FAR 52.204-21(a): Federal Contract Information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.

Per 32 CFR Part 2002.4(h): Controlled Unclassified Information  (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information (see paragraph (e) of this section) or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency.

See also the DoD CUI Quick Reference Guide at dodcui.mil

When your first new supplier contract is awarded after the 48 CFR effective date if it flows down the DFARS 252.204-7021 clause.

HII recommends that your company be compliant to the required CMMC Level specified in the RFP at the time of your proposal submission.

The following exemptions apply for CMMC requirements: 

• Commercial Off The Shelf (COTS) Products
• Purchases below the current micro-purchase threshold (Per FAR 2.101: $10,000)

You are also not required to implement CMMC if FCI or CUI data is not generated, received, or transmitted electronically by your company. Examples:

• You only receive paper copies of CUI
• You have “view only” access to CUI information via a secure enclave
• You have an HII-provided asset on the HII network