DOD releases final rule for CMMC, setting the stage for implementation next year
The Pentagon has posted the final rule for the Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0), cementing the department’s plans to implement new cybersecurity standards for contractors by mid-2025.
The rule was released for public inspection on the Federal Register on Friday, and the Defense Department anticipates officially publishing the new guidelines Oct. 15, according to a Pentagon press release.
The CMMC program is based on a tiered cybersecurity framework that requires defense contractors working with controlled unclassified information (CUI) or federal contract information (FCI) to meet one of three levels of CMMC compliance, depending on the sensitivity of the information. The effort was conceptualized as a way to protect DOD data on contractor systems from being exploited by U.S. adversaries by ensuring those firms comply with widely accepted National Institute of Standards and Technology security controls.
The publication of the final rule comes after several years of work to revamp the original CMMC assessment framework initially developed during the Trump administration. Under CMMC 2.0, the Pentagon has reduced the number of assessment levels from five to three to streamline the compliance process for small and medium-sized contractors.
The Defense Department published its proposed rule for CMMC 2.0 in December 2023 to kickstart the federal rulemaking process. Another proposal to amend the Defense Federal Acquisition Regulation Supplement (DFARS) and implement cybersecurity compliance requirements in Pentagon contracts was later released in August of this year.
Moving forward, the Pentagon intends to publish the follow-on DFARS rule change by mid-2025, according to the department.
“Once that rule is effective, DoD will include CMMC requirements in solicitations and contracts. Contractors who process, store, or transmit FCI or CUI must achieve the appropriate level of CMMC as a condition of contract award,” the Pentagon press release stated.
The new model will allow contractors working with less sensitive information to conduct self-assessments of their cybersecurity compliance. More sensitive information will require companies to complete either third-party assessments or one conducted by the Defense Industrial Base Cybersecurity Assessment Center that will verify the implementation of the standards.
The CMMC program has received criticism in the past, as some defense contractor advocates have argued that it will be expensive, difficult and confusing for companies to comply with — especially small businesses and non-traditional contractors. In response, the Pentagon has worked to provide industry with resources to assist in their efforts to meet the cybersecurity standards.
In addition, the revised CMMC program will introduce “Plans of Action and Milestones” (POA&Ms), which allows contractors that do not meet every cybersecurity standard to receive a conditional certification for 180 days as they work to achieve compliance, according to the Pentagon.
“The Department understands the significant time and resources required for industry to comply with DoD’s cybersecurity requirements for safeguarding CUI and is intent upon implementing CMMC requirements to assess the degree to which they have done so,” the press release stated. “Businesses in the defense industrial base should take action to gauge their compliance with existing security requirements and preparedness to comply with CMMC assessments.”
