The Department of Defense published the long-awaited proposed rule at the end of last year for the Cybersecurity Maturity Model Certification Program. The proposed rule is our first comprehensive look at the latest version of the CMMC program (referred to as CMMC 2.0), which will become effective once final changes are made to DoD contractor regulations. The program attempts to simplify the Department of Defense's various cybersecurity requirements and provide greater flexibility in the certification process.
As many know, the CMMC program is the Department of Defense's way of ensuring that defense contractors and service providers implement required cybersecurity measures. Under the program, companies will need to achieve a level of accreditation (either through self-assessment or third-party evaluation) based on the sensitivity of information related to the DoD program before they can receive contract awards.
CMMC 2.0 introduced a tiered model (with three levels). Under the proposed rule, there would also be a four-phase, two-and-a-half-year approach to implementing the program starting with basic requirements and progressing to more stringent requirements. Once the program takes effect, companies will need to meet requirements associated with the current phase and level of CMMC associated with their contracts.
There is a 60-day comment period for the proposed rule, and comments are due February 26, 2024. Comments can be submitted here. We anticipate that there will be a significant number of comments submitted in response to the proposed rule. Concurrent with this proposed rule, DoD is also updating DoD contractor regulations through separate rulemaking, which triggers the CMMC program. This creates uncertainty about when the program will officially begin implementation, but we expect the first phase of implementation to begin as early as late 2024, but most likely in 2025. For a more complete briefing, please visit our recent blog post here.
Put it into practice: Because the requirements for each level of CMMC are unlikely to change, defense contractors and companies serving the defense industry must begin to implement their plans for how to implement CMMC 2.0 obligations. Even outside the defense industry, CMMC standards are worth reviewing. It may serve as a best practice guide and inform data security requirements for companies in critical infrastructure and other sectors.
