Pentagon releases proposed rule on cybersecurity standards for contractors

The DOD released the proposed rule for the highly anticipated CMMC program.
River entrance of the U.S. Department of Defense. (Getty Images)

At long last, the Department of Defense has released its proposed rule on cybersecurity standards for contractors.

Following several years of development, the DOD in late 2021 shifted gears and unveiled the Cybersecurity Maturity Model Certification 2.0, which includes enhancements to the initial program first developed during the Trump administration. After reforming the program, the Pentagon has been working on a final rule that will mandate contractors that work with the department’s controlled unclassified information be CMMC certified, or risk losing their business.

The CMMC program is based upon a tiered cybersecurity framework that sets requirements for companies based on the level of security necessary for their work. The initiative was conceived to protect contractor information from being exploited by adversaries. Officials in years past have attributed $600 billion in annual losses to cyber thefts from adversaries.

An unpublished version of the proposed rule appeared on the Federal Register Dec. 22 — a few days before its official publication on Dec. 26.


The public comment period is 60 days from publication date.

The program is not without controversy, as some contractor advocates in the past have argued the program will be expensive, onerous — particularly for small businesses and non-traditional contractors — and confusing to keep up with.

CMMC 2.0 sought to simplify things with three key features:

  • The first is a tiered model that requires contractors to implement cybersecurity standards on a three-level scale based on the sensitivity of the information.
  • The second is an assessment requirement that allows DOD to verify implementation of the standards.
  • And the third is implementation through contracts. Once CMMC contracts are fully implemented, DOD contractors that handle sensitive information must achieve a particular CMMC level in order to win the prospective contract.

Updated on Dec. 28, 2023: This story has been updated to include a link to the proposed rule that was officially published Dec. 26.

Latest Podcasts