The Department of Defense published the final version of its Cybersecurity Maturity Model Certification (CMMC) rule last week. This rule establishes the parameters of the program and timeline for implementation. A separate rule to finalize associated contract requirements is expected early to mid-next year. For a deep-dive into noteworthy takeaways for the Final Rule, see our analysis here. Here are some highlights:
As many know, the goal of the CMMC program is to strengthen cybersecurity across the Defense Industrial Base by implementing a framework to ensure contractors and subcontractors adequately protect sensitive unclassified information under Department of Defense contracts. The framework requires contractors to implement cybersecurity standards at various levels (Levels 1-3) depending on the sensitivity of the information they hold, and to undergo related assessments and provide affirmations regarding compliance.
Once contract requirements are finalized, implementation of the CMMC program will be spread out over four phases spanning three years. With very limited exceptions, all companies contracting with the Department of Defense and their service providers will be impacted by this program.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.