The Pentagon has unveiled its plans to launch the Cybersecurity Maturity Model Certification through a final rule published today laying out key definitions, applicability for contractors and parameters for the assessment process.
“With this final rule, DOD establishes the Cybersecurity Maturity Model Certification (CMMC) Program in order to verify contractors have implemented required security measures necessary to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI),” DOD says in the final rule.
It continues, “The mechanisms discussed in this rule will allow the Department to confirm a defense contractor or subcontractor has implemented the security requirements for a specified CMMC level and is maintaining that status (meaning level and assessment type) across the contract period of performance.”
“This rule will be updated as needed, using the appropriate rulemaking process, to address evolving cybersecurity standards, requirements, threats and other relevant changes,” according to DOD.
The 470-page rulemaking was published today in the Federal Register. It will go into effect in 60 days.
The final rule amends Title 32 of the Code of Federal Regulations to establish CMMC program requirements. DOD is working on a separate rulemaking to amend Title 48 of the CFR which contains the department’s acquisition regulations.
The final rule outlines a four-phase plan to establish CMMC requirements for defense contracts and provides a walkthrough of the CMMC program from the perspective of an organization seeking assessment.
There is also a lengthy section of the rulemaking responding to comments on the 32 CFR proposed rule issued on Dec. 26 and a regulatory impact analysis going through the costs to implement the final rule.
Industry groups reacted positively to the rule, while emphasizing they will be closely watching the implementation.
"The publication of the final CMMC rule is a major milestone towards improving information security across the Defense Industrial Base, which is critical as adversaries continue to target the DOD supply chain with increasing levels of tenacity and sophistication," Leopold Wildenauer of the Information Technology Industry Council said. "We will continue to engage with the Department as we analyze the final rule’s details to support its successful implementation."
Aerospace Industries Association CEO Eric Fanning thanked DOD “for their coordination as they finalized this rule, bringing the Cybersecurity Maturity Model Certification from concept to reality.”
Fanning said, “We are reviewing the final rule closely now to understand how our feedback was incorporated. As with the review of any cybersecurity rule, we are keeping in mind the balance between the need for security and minimizing barriers for industry to meet customer needs.”
“Additionally, AIA looks forward to discussions with the Department of Defense to improve the identification and definition of controlled unclassified information (CUI), the catalyst for implementing CMMC within DOD contracts,” Fanning said.
He added, “Several more steps must be taken before CMMC is a seamless part of DOD contracting. The first step for defense industrial base companies will be scheduling their assessments and obtaining their certifications.”
“This phased approach is absolutely necessary due to the limited number of assessors to meet what we expect will be significant demand, especially among the supply chain. We are also paying close attention to and providing feedback on the upcoming rule that will establish requirements for CMMC, allowing CMMC to be fully incorporated into DOD contracts,” Fanning said.
DOD anticipates finalizing the 48 CFR rule in “early to mid-2025.” According to a Pentagon announcement, “Once that rule is effective, DOD will include CMMC requirements in solicitations and contracts. Contractors who process, store or transmit FCI or CUI must achieve the appropriate level of CMMC as a condition of contract award.”