After a lengthy series of revisions and what feels like an eternity in regulatory limbo, the Department of Defense’s (DoD) long-awaited cybersecurity compliance policy has finally arrived.
Today, the DoD made the final rule for the Cybersecurity Maturity Model Certification (CMMC) Program available for public inspection on federalregister.gov, with formal publication scheduled for the Federal Register on Oct. 15.
“CMMC provides the tools to hold accountable entities or individuals that put U.S. information or systems at risk by knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches,” according to a statement from the department.
With the release of the final rule businesses can now conduct self-assessments for compliance.
The CMMC program requires that Defense Industrial Base (DIB) contractors and subcontractors implement necessary security measures for Federal Contract Information (FCI) and introduce new security requirements for Controlled Unclassified Information (CUI) related to specific priority programs.
To ensure basic protection of FCI, companies must achieve CMMC Level 1. For general protection of CUI, either a third-party assessment or a self-assessment at CMMC Level 2 is necessary. To address higher risks from advanced persistent threats – CMMC Level 3 – some CUI will require an assessment led by the Defense Industrial Base Cybersecurity Assessment Center.
Additionally, the CMMC program implements an annual affirmation requirement that is a key element for monitoring and enforcing accountability of a company’s cybersecurity status.
The final rule aligns the program with the cybersecurity requirements outlined in Federal Acquisition Regulation part 52.204-21 and NIST Special Publications (SP) 800-171 Rev 2 and 800-172. It also specifies the 24 NIST SP 800-172 requirements that are mandatory for CMMC Level 3 certification.
The DoD first published interim rules for the CMMC program in 2020, setting out to create a standardized framework for protecting sensitive information in the defense supply chain. However, the initial rollout faced significant backlash from defense contractors, especially over the hefty compliance costs.
In response to the grumbling, the DoD rolled out CMMC 2.0 in 2021, aiming to tackle these issues and simplify the compliance process. One of the standout changes in the final rule is the reduction of required cybersecurity assessment levels for DIB contractors and subcontractors from five to three.
The final rule was under review by the Office of Information and Regulatory Affairs (OIRA) since late June. OIRA cleared the final rule for the CMMC program on Sept. 13.
With the release of the final CMMC rule, the DoD published an accompanying Plans of Action and Milestones, which grants conditional certification for 180 days for specific requirements outlined in the rule, allowing businesses time to work towards meeting NIST standards.
Additionally, the DoD will publish its Defense Federal Acquisition Regulation Supplement (DFARS) follow-on rule – cleared by OIRA on Aug. 15 – to contractually implement the CMMC Program in early to mid-2025.
Once that rule is effective, DoD will include CMMC requirements in solicitations and contracts. Contractors who process, store, or transmit FCI or CUI must achieve the appropriate level of CMMC as a condition of contract award.
The comment period for the DFARS rule will close on Oct.14.