Final Rule Out CMMC—Effective December 16, 2024
Cybersecurity is a top priority for the Department of Defense (DoD). The defense industrial base (DIB) faces increasingly frequent, and complex cyberattacks. To strengthen DIB cybersecurity and better safeguard DoD information, the DoD developed the Cybersecurity Maturity Model Certification (CMMC) Program to assess existing DoD cybersecurity requirements.
In its Final Rule, effective December 16, 2024, DoD DoD establishes the CMMC Program in order to verify contractors have implemented required security measures necessary to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The mechanisms discussed in this rule will allow the Department to confirm a defense contractor or subcontractor has implemented the security requirements for a specified CMMC level and is maintaining that status (meaning level and assessment type) across the contract period of performance. This rule will be updated as needed, using the appropriate rulemaking process, to address evolving cybersecurity standards, requirements, threats, and other relevant changes.
Key features of the CMMC Program:
Tiered Model: CMMC requires companies entrusted with sensitive unclassified DoD information to implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also outlines the process for requiring protection of information flowed down to subcontractors.
Assessment Requirement: CMMC assessments allow the DoD to verify DIB implementation of existing cybersecurity standards.
Implementation through Contracts: DoD contractors and subcontractors handling sensitive unclassified DoD information must achieve a specific CMMC level as a condition of contract award.
Helpful Links to the Rule and DoD CMMC site for more information and guides to implementation:
DoD Helpful Cite: https://dodcio.defense.gov/cmmc/About/