The Department of Defense (DoD) has released the final rule for the Cybersecurity Maturity Model Certification (CMMC) Program, which is now available for public inspection on federalregister.gov. The rule is expected to be published in the Federal Register on October 15.
The CMMC Program aims to ensure that defense contractors adhere to existing protections for federal contract information (FCI) and controlled unclassified information (CUI), protecting this data from cybersecurity threats. The updated rule reduces the number of assessment levels from five to three, simplifying the process for small and medium-sized businesses.
According to the DoD, "This final rule aligns the program with the cybersecurity requirements described in Federal Acquisition Regulation part 52.204-21 and National Institute of Standards and Technology (NIST) Special Publications (SP) 800-171 Rev 2 and -172." It also specifies the NIST SP 800-172 requirements needed for Level 3 certification under CMMC.
Under this new regulation, businesses can self-assess their compliance where suitable. For basic FCI protection, a self-assessment at CMMC Level 1 is necessary. General protection of CUI requires either a third-party or self-assessment at Level 2. A higher level of protection against advanced persistent threats will necessitate an assessment led by the Defense Industrial Base Cybersecurity Assessment Center at Level 3.
The DoD stated, "CMMC provides the tools to hold accountable entities or individuals that put U.S. information or systems at risk by knowingly misrepresenting their cybersecurity practices or protocols."
A significant addition in this revised program is Plans of Action and Milestones (POA&Ms), allowing businesses conditional certification for up to 180 days while they work towards meeting NIST standards.
The benefits outlined include safeguarding sensitive information, enforcing cybersecurity standards within the defense industrial base, ensuring accountability, fostering a culture of cyber resilience, and maintaining public trust through high ethical standards.
Acknowledging industry efforts during development, DoD expressed gratitude: "Without this collaboration, it would not have been possible to meet our goals."
Businesses involved in defense contracts should evaluate their compliance with security requirements as they prepare for upcoming assessments. Cloud services may assist companies in meeting these needs as per current resources listed under DoD DIB Cybersecurity-as-a-Service Services and Support on dibnet.dod.mil.
An amendment to implement these changes within contracts through a Defense Federal Acquisition Regulation Supplement rule is anticipated between early and mid-2025. Contractors handling FCI or CUI must achieve relevant CMMC levels before being awarded contracts once these rules take effect.
Further details about both the CMMC Program and DFARS amendments are available online via official DoD platforms.
