The Department of Defense published a much-anticipated Proposed Rule at the end of last year for its Cybersecurity Maturity Model Certification program. The proposed rule is our first comprehensive look at the latest iteration of the CMMC program (referred to as CMMC 2.0), which will become effective once final changes are made to DoD regulations for contractors. The program attempts to streamline the various DoD cybersecurity requirements and provide greater flexibility in the certification process.

As many are aware, the CMMC program is the DoD’s method to ensure that defense contractors and their service providers implement required cybersecurity measures. Under the program, companies will need to achieve a level of certification (either through self-assessment or third-party assessment) based on the sensitivity of the information related to the DoD program before they can receive contract awards.

CMMC 2.0 introduced a tiered model (with three levels). Under the proposed rule, there would also be a four-phase, 2.5 year approach for implementation of the program starting with the basic requirements and progressing to the most rigorous requirements. Once the program starts to take effect, companies will need to meet the requirements associated with the current phase and CMMC level associated with their contracts.

There is a 60-day comment period for the Proposed Rule, with comments due February 26, 2024. Comments can be submitted here. We expect there will be a significant number of comments submitted in response to the Proposed Rule. In conjunction with this proposed rule, DoD is also updating the DoD regulations for contractors through separate rulemaking, which is the trigger for the CMMC program taking effect. This creates uncertainty as to when program implementation will officially begin, but we anticipate the first phase of implementation could begin as early as late 2024, but more likely in 2025. For a more complete briefing please visit our recent blog post here.

Putting It into Practice: Given that the requirements for each CMMC Level are unlikely to change, defense contractors and companies that serve the defense industry should begin executing on their plans for how to implement the CMMC 2.0 obligations. Even outside the defense industry, the CMMC standards are worth reviewing. They may be a guidepost for best practices and inform data security requirements for companies in critical infrastructure and other sectors.