ARTICLE
16 October 2024

DOD Crystalizes CMMC 2.0 Program Rule

WR
Wiley Rein

Contributor

Wiley Rein logo
Wiley is a preeminent law firm wired into Washington. We advise Fortune 500 corporations, trade associations, and individuals in all industries on legal matters converging at the intersection of government, business, and technological innovation. Our attorneys and public policy advisors are respected and have nuanced insights into the mindsets of agencies, regulators, and lawmakers. We are the best-kept secret in DC for many of the most innovative and transformational companies, business groups, and nonprofit organizations. From autonomous vehicles to blockchain technologies, we combine our focused industry knowledge and unmatched understanding of Washington to anticipate challenges, craft policies, and formulate solutions for emerging innovators and industries.
Explore Firm Details
On October 15, 2024, the U.S. Department of Defense (DOD) will publish the final CMMC 2.0 Program rule.
United States Government, Public Sector
Photo of Tracye Winfrey Howard
Photo of Megan L. Brown
Photo of Teresita Regelbrugge
Photo of Vaibhavi Patria
Authors

WHAT: On October 15, 2024, the U.S. Department of Defense (DOD) will publish the final CMMC 2.0 Program rule. DOD's final rule outlines the mechanisms that DOD will use to prescribe cybersecurity standards for safeguarding federal contract information (FCI) or controlled unclassified information (CUI), and to confirm that covered defense contractors and subcontractors have implemented the security requirements before award of covered contracts and maintain those safeguards during contract performance. The final rule details the tiered model of cybersecurity requirements DOD will use based on the type of information stored on a contractor's information system and the requirements for certifications and assessments based on the contract's assigned CMMC level.

WHEN: The final rule will take effect on December 16, 2024 (60 days after publication); however, CMMC's phased implementation will begin only after the related DFARS Acquisition rule takes effect. The Acquisition proposed rule is open for comment until October 15, 2024 (we covered the proposed Acquisition rule here).

WHAT THIS MEANS FOR INDUSTRY: When the CMMC Program rule and the complementary DFARS Acquisition rule are both finalized and in effect, DOD will begin its phased implementation plan in which contracting officers will assign a CMMC level and assessment type requirement to solicitations and resulting DOD contracts involving the processing, storing, or transmitting of FCI or CUI on a non-federal system. A contractor must meet the CMMC level, as confirmed by the appropriate assessment type, to be eligible for a contract award, unless the agency issues a waiver. The final CMMC Program rule extends Phase 1 of the implementation by six months from the timeline in the December 2023 proposed rule.

The final rule also offers some clarity for contractors about the security requirements they will need to address under CMMC 2.0. The final rule incorporates by reference the security requirements in certain existing publications, such as NIST SP 800-171 Revision 2. DOD foreshadows, however, that the rule "will be updated as needed, using the appropriate rulemaking process, to address evolving cybersecurity standards, requirements, threats, and other relevant changes."

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Tracye Winfrey Howard
Tracye Winfrey Howard
Photo of Megan L. Brown
Megan L. Brown
Photo of Teresita Regelbrugge
Teresita Regelbrugge
Photo of Vaibhavi Patria
Vaibhavi Patria
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More