Cybersecurity Maturity Model Certification Program Final Rule Published

Today, the Cybersecurity Maturity Model Certification (CMMC) Program final rule was released for public review at federalregister.gov and is expected to be published in the Federal Register on Tuesday, October 15.

The CMMC’s goal is to ensure that defense contractors comply with existing safeguards for government contract information (FCI) and non-controlled information (CUI) and protect that information at a level commensurate with the risk. of cybersecurity threats, including persistent threats.

This law simplifies and simplifies the operation of small and medium enterprises by reducing the number of inspection levels from five in the first program to three under the new program.

This final rule aligns the program with the cybersecurity requirements described in Federal Acquisition Regulation section 52.204-21 and National Institute of Standards and Technology (NIST) Special Publications (SP) 800-171 Rev 2 and -172. It also clarifies the 24 NIST SP 800-172 mandated requirements for CMMC Level 3 certification.

With the promulgation of this revised 32 CFR rule, DoD will allow businesses to self-assess their compliance when appropriate. Basic FCI security will require self-assessment at CMMC Level 1. General CUI security will require third-party or self-assessment at CMMC Level 2. A higher level of protection against the risk of evolving threats will be required. constant for others. CUI. This enhanced security will require a Cybersecurity Industry Center-led assessment at CMMC Level 3.

The CMMC provides tools to hold accountable organizations or individuals who put US information or systems at risk by willfully misrepresenting their cybersecurity practices or protocols, or willfully violating monitoring and reporting obligations. cybersecurity incidents and breaches. The CMMC program implements an annual assurance requirement that is an important factor in monitoring and ensuring accountability of the company’s level of cyber security.

With this updated CMMC Program, the Department is also introducing Plans of Action and Measures (POA&Ms). POA&Ms will be subject to specific requirements as outlined in the law to allow a business to obtain conditional certification for 180 days while working to meet NIST standards.

CMMC benefits include:

• Protecting valuable information helps and protects the warrior
• Implementing DIB’s cybersecurity standards to meet evolving threats
• Ensuring accountability while reducing barriers to compliance with DoD requirements
• Promoting a collaborative culture of cybersecurity and cyber resilience
• Maintaining public trust through high professional and ethical standards

The Department understands the significant time and resources required for industry to comply with DoD’s cybersecurity requirements for protecting CUI and is committed to implementing CMMC requirements to assess how well they have done so. The Department is grateful to all businesses and industry associations that provided comments during the public comment period. Without this partnership, it would not have been possible to achieve our goals of improving the security of critical information and increasing compliance with cybersecurity requirements while at the same time enabling businesses to small and medium to meet their contractual obligations.

Businesses in the security industry should take steps to measure compliance with existing security requirements and be prepared to comply with CMMC’s tests. Members of the defense industry can use cloud services to meet cybersecurity requirements that must be assessed as part of the CMMC requirement. The DoD CIO DIB Cybersecurity Program has compiled a list of current resources available at dibnet.dod.mil under dibnet.dod.mil DoD DIB Cybersecurity-as-a-Service (CSaaS) Services and Support..

A DoD rule change following the Defense Federal Acquisition Regulation Supplement (DFARS) to implement the CMMC contract program will be published in early 2025. Once the rule goes into effect, the DoD will include CMMC requirements in solicitations and contracts. Contracts that operate, maintain, or transfer FCI or CUI must meet the appropriate CMMC level as per the contract award criteria. More information on the timing of the DFARS proposed rule can be found at https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202404&RIN=0750-AK81.

More information about the CMMC Program can be found at https://dodcio.defense.gov/CMMC/.