WHAT: On October 15, 2024, the U.S. Department of Defense (DOD) will publish the final CMMC 2.0 Program rule. DOD’s final rule outlines the mechanisms that DOD will use to prescribe cybersecurity standards for safeguarding federal contract information (FCI) or controlled unclassified information (CUI), and to confirm that covered defense contractors and subcontractors have implemented the security requirements before award of covered contracts and maintain those safeguards during contract performance. The final rule details the tiered model of cybersecurity requirements DOD will use based on the type of information stored on a contractor’s information system and the requirements for certifications and assessments based on the contract’s assigned CMMC level.
WHEN: The final rule will take effect on December 16, 2024 (60 days after publication); however, CMMC’s phased implementation will begin only after the related DFARS Acquisition rule takes effect. The Acquisition proposed rule is open for comment until October 15, 2024 (we covered the proposed Acquisition rule here).
WHAT THIS MEANS FOR INDUSTRY: When the CMMC Program rule and the complementary DFARS Acquisition rule are both finalized and in effect, DOD will begin its phased implementation plan in which contracting officers will assign a CMMC level and assessment type requirement to solicitations and resulting DOD contracts involving the processing, storing, or transmitting of FCI or CUI on a non-federal system. A contractor must meet the CMMC level, as confirmed by the appropriate assessment type, to be eligible for a contract award, unless the agency issues a waiver. The final CMMC Program rule extends Phase 1 of the implementation by six months from the timeline in the December 2023 proposed rule.
The final rule also offers some clarity for contractors about the security requirements they will need to address under CMMC 2.0. The final rule incorporates by reference the security requirements in certain existing publications, such as NIST SP 800-171 Revision 2. DOD foreshadows, however, that the rule “will be updated as needed, using the appropriate rulemaking process, to address evolving cybersecurity standards, requirements, threats, and other relevant changes.”
[View source.]
