The Cybersecurity Maturity Model Certification (CMMC) is a program the Department of Defense (DoD) is rolling out to make sure companies working with them have sufficient cybersecurity measures in place to protect sensitive information. Think about all the important data that defense contractors handle – plans, communications, project details. The DoD wants to make sure that this information is well-protected from cyber threats.
In 2019, the DoD started working on a framework to make sure contractors and subcontractors meet certain security standards. This framework builds on existing requirements from DFARS 252.204-7012 and adds a way to verify compliance through third–party certification. The proposed rule is basically the set of guidelines and requirements they’re putting in place to get everyone on the same page.
The development of CMMC has been a step-by-step process. For instance, CMMC 1.0 was introduced under an interim rule in 2020. In November 2021, the DoD announced CMMC 2.0, which is the foundation for the latest Proposed Final Rule, which was published on December 26, 2023.
The CMMC Proposed Final Rule introduces a framework with three levels of cybersecurity practices. Each level builds on the previous one, getting more advanced:
- Level 1: Foundational - Basic practices that everyone should be doing, like updating antivirus software and managing passwords.
- Level 2: Advanced - More comprehensive practices, aligned with NIST SP 800-171, like encryption and incident response plans.
- Level 3: Expert - For the most sensitive information, with advanced measures like continuous monitoring and proactive threat hunting.
Why three levels? Not every contractor handles the same type of information. Some might just handle basic contract details, while others might handle detailed plans or sensitive communications. The three levels let companies match their security efforts to the type of information they’re dealing with and allow DoD officials and contract owners the assurance that the organizations they’re working with are protecting their data according to a specific standard.
Who will need to comply with the CMMC Proposed Final Rule?
If you’re a contractor or subcontractor working with the DoD, you’ll need to get certified at one of these levels. The specific level you need depends on the type of contracts you’re bidding on and the sensitivity of the information involved.
For Levels 2 and 3, you’ll need to undergo an assessment by a third-party organization to make sure you’re actually following the required practices. Level 1 can often be self-assessed, but it still requires you to demonstrate compliance with the basic practices.
When does the CMMC Proposed Final Rule go into effect?
The timeline for implementing CMMC 2.0 is still ongoing and subject to change, but the DoD has provided some guidance on a phased implementation over the next few years.
The CMMC rules will be rolled out in stages, eventually making certification a requirement for winning federal contracts by 2028. Here’s the plan:
- Phase 1: Requires CMMC Level 1 or Level 2 self-assessments for certain contracts. Starts on the effective date of the DFARS rule.
- Phase 2: Requires official CMMC Level 2 assessments. Begins six months after Phase 1 starts.
- Phase 3: Includes CMMC Level 3 assessments. Begins one year after Phase 2 starts.
- Phase 4: Full implementation for all relevant contracts. Begins one year after Phase 3 starts.
The DoD plans to include CMMC requirements for Levels 1, 2, and 3 in all new contracts as soon as October 1, 2026. That said, there are some dependencies that must be met before these phases can begin rolling out. Namely, the rule needs to go before Congress by mid-October 2024 so that it can be finalized before the end of December 2024.
Why? The congressional disapproval period can’t cross from one Congress to the next. Because 2024 is an election year, a new Congress will be instituted in early January 2025, which could potentially delay the process. If the rule gets to Congress before the end of October, CMMC will become final by the end of December or very early in January 2025. If the rule goes to Congress after October, CMMC will not become final until sometime in March 2025.
FAQs
What is the proposed rule of the CMMC?
The proposed rule of the Cybersecurity Maturity Model Certification (CMMC) is a set of guidelines and requirements established by the Department of Defense (DoD) to ensure that defense contractors implement appropriate cybersecurity practices to protect sensitive information. It introduces a tiered framework with three levels of security, each with increasing complexity and rigor.
Is CMMC 2.0 rule-making complete?
As of September 2024, the rule-making process for CMMC 2.0 is not yet complete. The DoD is still finalizing the regulations and requirements. The rule-making process includes public comment periods and revisions before the final rules are officially published.
Is CMMC required yet?
As of September 2024, the CMMC 2.0 is not yet fully required for all defense contracts. The implementation of CMMC requirements is being phased in gradually, and specific timelines and requirements will be detailed in future DoD contracts as the rule-making process progresses.
What is the interim rule for CMMC?
The interim rule for CMMC is a temporary set of guidelines issued by the DoD to begin implementing CMMC requirements while the final rule-making process is still ongoing. This interim rule provides initial guidance and requirements for defense contractors to start preparing for CMMC compliance.
The CMMC interim rule is based on DFARS and established a five year phased approach for CMMC implementation, during which CMMC compliance is only required in select pilot contracts approved by the office of the Under Secretary of Defense of Acquisition and Sustainment (OUSD(A&S)).
The difference between a proposed rule and an interim rule is the timing of when changes go into effect with respect to the public comment period before a final rule is published. An interim rule is effective before the DoD responds to public comments, whereas a proposed rule is effective after the DoD responds to public comments. CMMC 1.0 was an interim rule, while CMMC 2.0 is a proposed rule.
The CMMC proposed rule establishes security requirements for FCI and CUI, included a period for public comment and review, and is still making its way through the final rulemaking process.
Has CMMC 2.0 been released?
CMMC 2.0 has been announced and is in the process of being finalized, but it has not been fully implemented as of September 2024. The DoD is working on the final details and regulations, and the official release and enforcement will follow the completion of the rule-making process.