Cybersecurity Maturity Model Certification Program final rule published

Anticipated to be published in the Federal Register, Tuesday, October 15

https://dodcio.defense.gov/CMMC/about/
https://dodcio.defense.gov/CMMC/about/
Adobe Stock #964811494/neirfy

The final program rule for the Cybersecurity Maturity Model Certification (CMMC) Program was released for public inspection on federalregister.gov and is anticipated to be published in the Federal Register, Tuesday, October 15.

The purpose of CMMC is to verify that defense contractors are compliant with existing protections for federal contract information (FCI) and controlled unclassified information (CUI) and are protecting that information at a level commensurate with the risk from cybersecurity threats, including advanced persistent threats.

This rule streamlines and simplifies the process for small-and medium-sized businesses by reducing the number of assessment levels from the five in the original program to three under the new program.

This final rule aligns the program with the cybersecurity requirements described in Federal Acquisition Regulation part 52.204-21 and National Institute of Standards and Technology (NIST) Special Publications (SP) 800-171 Rev 2 and -172.  It also clearly identifies the 24 NIST SP 800-172 requirements mandated for CMMC Level 3 certification.

With the publication of this updated 32 CFR rule, DOD will allow businesses to self-assess their compliance when appropriate. Basic protection of FCI will require self-assessment at CMMC Level 1. General protection of CUI will require either third-party assessment or self-assessment at CMMC Level 2. A higher level of protection against risk from advanced persistent threats will be required for some CUI. This enhanced protection will require a Defense Industrial Base Cybersecurity Assessment Center-led assessment at CMMC Level 3.

CMMC provides the tools to hold accountable entities or individuals that put U.S. information or systems at risk by knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.  The CMMC Program implements an annual affirmation requirement that is a key element for monitoring and enforcing accountability of a company's cybersecurity status.

With this revised CMMC Program, the Department also introduces Plans of Action and Milestones (POA&Ms).  POA&Ms will be granted for specific requirements as outlined in the rule to allow a business to obtain conditional certification for 180 days while working to meet the NIST standards.

The benefits of CMMC include:

  • Safeguarding sensitive information to enable and protect the warfighter
  • Enforcing DIB cybersecurity standards to meet evolving threats
  • Ensuring accountability while minimizing barriers to compliance with DOD requirements
  • Perpetuating a collaborative culture of cybersecurity and cyber resilience
  • Maintaining public trust through high professional and ethical standards 

The Department understands the significant time and resources required for industry to comply with DOD's cybersecurity requirements for safeguarding CUI and is intent upon implementing CMMC requirements to assess the degree to which they have done so. The Department would like to thank all the businesses and industry associations that provided input during the public comment period.  Without this collaboration, it would not have been possible to meet our goals of improving security of critical information and increasing compliance with cybersecurity requirements while simultaneously making it easier for small and medium-sized businesses to meet their contractual obligations.

Businesses in the defense industrial base should take action to gauge their compliance with existing security requirements and preparedness to comply with CMMC assessments. Members of the defense industrial base may use cloud service offerings to meet the cybersecurity requirements that must be assessed as part of the CMMC requirement. The DOD CIO DIB Cybersecurity Program has compiled a list of current resources available at https://www.dibnet.dod.mil under DOD DIB Cybersecurity-as-a-Service (CSaaS) Services and Support.

The DOD's follow-on Defense Federal Acquisition Regulation Supplement (DFARS) rule change to contractually implement the CMMC Program will be published in early to mid-2025.  Once that rule is effective, DOD will include CMMC requirements in solicitations and contracts.  Contractors who process, store, or transmit FCI or CUI must achieve the appropriate level of CMMC as a condition of contract award.  More information on the timing of the proposed DFARS rule can be found at https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202404&RIN=0750-AK81.

More information on the CMMC Program can be found at https://dodcio.defense.gov/CMMC/.