DoD releases cybersecurity maturity model certification (CMMC) program

The Department of Defense (DoD) issued the final Cybersecurity Maturity Model Certification (CMMC) rule in the defense security program into the Federal Register on Oct. 15, 2024.

CMMC was established to verify that contractors have implemented required security controls to protect federal contract information (FCI) and controlled unclassified information (CUI).

Two important parts of the CMMC Rule are: 32 CFR Part 170, which describes the program in detail, and 48 CFR, which discusses how CMMC requirements are to be included in solicitations.

Who is affected by the new guidance?

The three-tiered CMMC model provides the DoD with elevated assurance that contractors and subcontractors are meeting cybersecurity requirements for nonfederal systems processing CUI. The rule, which takes effect, Dec. 16, 2024, provides assessments at three levels, described below.

Level one requirements: Basic safeguarding of FCI

This model applies to DoD contractors who handle FCI but not CUI and requires an annual self-assessment and annual affirmation of compliance with 15 security requirements in the Federal Acquisition Regulation (FAR) clause 52.204-21.

Level two requirements: Broad protection of CUI

This model applies to DoD contractors who handle CUI and requires alignment with 110 controls from NIST SP 800-171 r2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Additionally, a CMMC third-party assessment organization (C3PAO) assessment or a self-assessment for selected programs is required every three years. The type of assessment will be determined based on the type of information stored, processed, or transmitted on the contractor or subcontractor information systems. Annual affirmations are also required.