On October 11, 2024, the U.S. Department of Defense (“DoD”) released an unpublished version of the Cybersecurity Maturity Model Certification (“CMMC”) Program Rule. The final rule will be published in the Federal Register on October 15, 2024 and will become effective sixty days after publication. This rule formally establishes the CMMC Program for DoD and is one of two complementary sets of regulations that govern operation of the Program.
The CMMC Program rule will provide DoD with a means to validate that contractors are in compliance with security measures necessary to safeguard Federal Contract Information (“FCI”) and Controlled Unclassified Information (“CUI”) and will also impose stricter requirements around implementation of required security controls. The rule authorizes DoD to confirm that a defense contractor or subcontractor has implemented and maintains security requirements for a specified CMMC level (Level 1, Level 2, or Level 3) and assessment type (self-assessment, third party assessment, or government assessment) across the contract period of performance. The CMMC level required is based on the type of information that will be safeguarded during contract performance, and specific security requirements are specified for each level.
Separate from this rulemaking, on August 15, 2024, DoD published the proposed rule that complements the final CMMC Program rule. In contrast to the CMMC Program rule, that proposed rule would outline contract requirements around CMMC and would implement CMMC in the Defense Federal Acquisition Regulation Supplement (“DFARS”). When finalized, the procurement rule will require DoD to impose a specific CMMC level in a solicitation or contract. When CMMC requirements are applied to a solicitation through this procurement rule, contracting officers will not make award, exercise an option, or extend the period of performance on a contract, if the offeror or contractor does not have the passing results of a current certification assessment or self-assessment for the required CMMC level, and an affirmation of continuous compliance with the security requirements in the Supplier Performance Risk System (“SPRS”) for all information systems that process, store, or transmit FCI or CUI during contract performance. DoD can impose CMMC requirements on contracts awarded before the procurement rule is finalized, but that would be done on a contract-by-contract basis. We addressed this proposed rule in a prior blog.