On December 22, 2023, the U.S. Department of Defense (DoD) and Office of Management and Budget (OMB) released the text of the proposed Cybersecurity Maturity Model Certification (CMMC) rule to the Federal Register. The rule has been highly anticipated in the federal contractor industry and provides insight into the DoD’s intention for the future of the CMMC framework.
CMMC is the DoD’s program for protecting Controlled Unclassified Information (CUI). The framework requires contractors to establish a minimum baseline of requirements for securing CUI and maintaining an effective cybersecurity governance program, based upon the security functions described in NIST SP 800-171. While CMMC will be a new requirement, the expectation for defense contractors to secure CUI has been in place since 2016 via an existing DFARS rule. CMMC is designed to enforce these protections and validate that contractors are meeting a minimum set of security criteria to help reduce the risk of breaches of sensitive information via the DoD’s supply chain.
Full text of the proposed rule can be found here on the Federal Register’s site.
Public Comment Period
There will be a public comment window, providing Defense Industrial Base stakeholders with the opportunity to provide feedback on the pending requirements. From there, the DoD must adjudicate public comments and will include responses to those comments with the release of the final rule. A final rule can be expected in late 2024 or early 2025 based upon the anticipated comment review period.
The DoD has routinely stated that CMMC requirements will be phased into contracts over a multiyear period, with all applicable contracts eventually expected to contain CMMC considerations. Organizations functioning as subcontractors may be asked to demonstrate compliance by Prime Contractors at any point once the rule has been enacted.
In the coming weeks, the CMMC team at FORVIS will prepare a more in-depth analysis of the draft rule’s content and what it means for defense contractors across the country. Please visit our IT Risk & Compliance Services page for more insight analysis.
About FORVIS CMMC Capabilities
FORVIS was the sixth authorized CMMC Third-Party Assessment Organization (C3PAO) and has been a national leader in CMMC readiness consulting and voluntary NIST 800-171 assessments under the DoD Joint Surveillance Voluntary Assessment (JSVA) Program. Our team has significant experience helping contractors of various sizes in a multitude of industries with gap assessments, compliance program development, policy development, project management, and JSVA assessments.
If you have any questions or need assistance, please reach out to a professional at FORVIS.