DoD Announces Cybersecurity Maturity Model Certification Program for Contractors

Today, the Department of Defense publishes for a 60-day comment period a proposed rule for the Cybersecurity Maturity Model Certification (CMMC) program at https://www.regulations.gov/docket/DOD-2023-OS-0063. 

CMMC is designed to ensure that defense contractors and subcontractors are compliant with existing information protection requirements for federal contract information (FCI) and controlled unclassified information (CUI) and are protecting that sensitive unclassified information at a level commensurate with the risk from cybersecurity threats, including advanced persistent threats. 

The proposed rule published today revises certain aspects of the program to address public concerns in response to DoD's initial vision for the CMMC 1.0 program, as originally published on Sep. 29, 2020. With its streamlined requirements, the CMMC program now provides for:

• Simplified compliance by allowing self-assessment for some requirements
• Priorities for protecting DoD information
• Reinforced cooperation between the DoD and industry in addressing evolving cyber threats  

As discussed in the proposed rule, CMMC requires cybersecurity assessment at only three levels, starting with basic safeguarding of FCI at CMMC Level 1. 

General protection of CUI will require assessment at CMMC Level 2, and a higher level of protection against risk from advanced persistent threats will require assessment at CMMC Level 3.  This rule also adds flexibility by allowing for limited use of Plans of Action and Milestones and a government waiver request process.  DoD estimates overall program costs will be reduced by allowing for self-assessments for Level 1 and some Level 2 assessments and minimizing cost to industry for Level 3 assessments by having Government assessors from Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) conduct these assessments.

Additionally, CMMC aligns directly with the cybersecurity requirements described in National Institute of Standards and Technology (NIST) Special Publications 800-171 and 800-172.

Concurrent for comment with the CMMC proposed rule, DoD is also requesting comment on eight CMMC guidance documents, which can be accessed at https://www.regulations.gov/docket/DOD-2023-OS-0096, and several new information collections, which are available at https://www.regulations.gov/docket/DOD-2023-OS-0097.  More information on the overall CMMC program can be found at https://dodcio.defense.gov/CMMC/.

A follow-on Defense Federal Acquisition Regulation Supplement (DFARS) rule for CMMC will be provided for public comment in 2024. The existing 48 Code of Federal Regulations (CFR) Rule will be modified to align with the 32 CFR rule for CMMC.  More information on the timing of the proposed DFARS rule can be found at https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202310&RIN=0750-AK81. 

CMMC 1.0 was published as an interim DFARS rule (2019-D041): Assessing Contractor Implementation of Cybersecurity Requirements, which can be found at https://www.federalregister.gov/documents/2020/09/29/2020-21123/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of.

The DoD CMMC program is now fully defined by the current rulemaking in the 32 CFR regulatory process.