The Department of Defense has issued the final rule for a certification program that seeks to verify whether defense contractors comply with existing cybersecurity protections for federal contract information and controlled unclassified information.
DOD said Friday the final rule for the Cybersecurity Maturity Model Certification program is expected to be published in the Federal Register on Tuesday, Oct. 15.
According to the Pentagon, the follow-on rule change to the Defense Federal Acquisition Regulation Supplement to implement the CMMC program will be published in early to mid-2025.
Once the rule takes effect, DOD will incorporate CMMC requirements into solicitations and contracts.
Under CMMC 2.0, the number of assessment levels has been reduced from five to three to streamline the compliance process for small and medium-sized businesses.
Self-assessments will be required for the basic protection of FCI and the general protection of CUI. For some CIU, third-party assessments at CMMC Level 2 and Level 3 will be required for contractors.
DOD has introduced plans of action and milestones, which will be issued for specific requirements to allow a vendor to secure conditional certification for 180 days while working to meet the National Institute of Standards and Technology standards.
Register now for the Potomac Officers Club’s 2025 Defense R&D Summit on Jan. 23, and hear from leading defense researchers, experts and decision makers about the cutting-edge technologies shaping the future of the U.S. military.