On October 15, 2024, the U.S. Department of Defense (DoD) released its final rule to establish
the Cybersecurity Maturity Model Certification (CMMC) Program (Final CMMC Program Rule).
The CMMC Program allows the DoD to verify that defense
prime contractors and subcontractors (defense contractors)
have implemented security safeguards for Federal Contract
Information (FCI) and Controlled Unclassified Information (CUI)
and are maintaining required safeguards during the contract
period of performance. The CMMC requirements apply to
defense contractors that process, store or transmit FCI or CUI
in the performance of a DoD contract or subcontract.
In a parallel effort, the DoD also has proposed an acquisition
rule – 48 C.F.R. Part 204 CMMC Acquisition Rule or (DFARS
rule) – that will amend the Defense Federal Acquisition
Regulation Supplement (DFARS) and contractually implement
the CMMC Program (32 C.F.R. part 170) through DoD
solicitations and contracts. In September we described the
proposed DFARS rule, for which the comment period closed
on October 15, 2024. The DoD estimates it will publish the
final DFARS rule by mid-2025. The effective date of the final
DFARS rule (which is 60 days after it is published in the
Federal Register) is a key date, since that effective date will
initiate the CMMC Program’s phased rollout discussed below.
Read the full insight to learn more about this rule.
