The Defense Department released the final rule for the long-awaited Cybersecurity Maturity Model Certification program today, further paving the way for CMMC requirements to show up in contracts starting next year.

The final CMMC program rule was released for public inspection today. It’s expected to officially publish in the Federal Register on Tuesday, Oct. 15.

The rule establishes the mechanisms for the CMMC program. The goal of CMMC is to verify whether defense contractors are following cybersecurity requirements for protecting critical defense information. Many contractors will be required to receive a third-party audit under the program, a significant departure from the current regime of relying on self-attestation.

DoD released the proposed CMMC program rule last December. The department received 787 comments on the rule before the public submission period closed in February.

“The department would like to thank all the businesses and industry associations that provided input during the public comment period,” DoD said in a statement released today. “Without this collaboration, it would not have been possible to meet our goals of improving security of critical information and increasing compliance with cybersecurity requirements while simultaneously making it easier for small and medium-sized businesses to meet their contractual obligations.”

The final rule released today establishes the CMMC program and processes into law. Separately, the Pentagon published a proposed CMMC acquisition rule this past summer. The comment period on the proposed acquisition rule closes Oct. 14.

In its statement today, DoD said the final acquisition rule will be published in “early to mid-2025.”

“Once that rule is effective, DoD will include CMMC requirements in solicitations and contracts,” DoD added.

CMMC a ‘glacial effort’

The Pentagon has been developing the CMMC requirements for more than five years. DoD began developing the rules due to concerns that many companies were not following contractual cybersecurity requirements, allowing U.S. adversaries to steal sensitive but unclassified data from their networks.

After significant industry push back due to the expected costs and impacts of the original program, however, DoD revised the program into the so-called “CMMC 2.0” in 2022.

During an appearance at the Professional Services Council’s annual defense conference on Tuesday, Deputy DoD Chief Information Officer Dave McKeown acknowledged how long it’s taken for CMMC to come to fruition.

“We’re nearing the end for sure – it has been a glacial effort,” McKeown said. “It has taken a long time, and it’s taken a lot of perseverance to work through getting the rule right and getting it approved, but we are definitely nearing the end, and it is imminent that this will be released, and everybody will have this in their contracts going forward.”

DoD will eventually scale the CMMC requirements across all applicable contracts. But in its proposed acquisition rule, the Pentagon laid out plans for a three-year-long “phased rollout” of the requirements. During that time, DoD program managers would have the discretion to include CMMC in contracts.

Three levels of CMMC

The final rule establishes three distinct “levels” of CMMC, as first envisioned under the revised program.

The CMMC requirements align with existing acquisition rules that require contractors to implement cybersecurity controls in National Institute of Standard and Technology (NIST) special publication 800-171 for protecting controlled unclassified information.

Under level one, contractors that handle less sensitive “federal contract information” will be able to submit a self-assessment of their compliance.

Under CMMC level two requirements, contractors that are generally required to protect “controlled unclassified information,” or CUI, may be required to obtain a third-party assessment. Those auditors will be authorized by the Cyber Accreditation Body, a nonprofit that holds a contract with DoD.

Meanwhile, DoD says some CUI will require a “a higher level of protection against risk from advanced persistent threats.” Contractors that handle that type of information will be required to get an assessment led by the Defense Industrial Base Cybersecurity Assessment Center as part of CMMC level three requirements. The level three requirements include additional cybersecurity controls laid out in NIST Special Publication 800-172.

“CMMC provides the tools to hold accountable entities or individuals that put U.S. information or systems at risk by knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches,” DoD said in its statement today.

The rule also allows DoD program offices to grant “Plans of Action and Milestones” for contractors that don’t fully comply with the NIST requirements. DoD says POA&Ms will be granted for “specific requirements as outlined in the rule to allow a business to obtain conditional certification for 180 days while working to meet the NIST standards.”

DoD in its statement released today encouraged companies in the defense industrial base to “take action to gauge their compliance with existing security requirements and preparedness to comply with CMMC assessments.”

Cloud plans

With companies and small business advocates raising concerns about the cost and complexities of CMMC, the Pentagon is also pointing businesses to cloud offerings and other managed services that could be used to meet the requirements.

Meanwhile, McKeown said DoD is partnering with large cloud service providers and managed service providers to establish a certification program that could meet “all or most” of CMMC requirements.

“There will probably be roles and responsibilities outlined between what the cloud service provider will do or the managed service provider will do, and the customer will have to do, but it will make it streamlined,” McKeown said. “Much like FedRAMP, we’ll say that this has our seal of approval that it is CMMC compliant, and then partners can start doing their work out of these environments and not have to uplift their whole entire home network in order to meet the requirements that’s going along very well.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.