[co-author: Sidney Howe*]
The Department of Defense published the final version of its Cybersecurity Maturity Model Certification (CMMC) rule last week. This rule establishes the parameters of the program and timeline for implementation. A separate rule to finalize associated contract requirements is expected early to mid-next year. For a deep-dive into noteworthy takeaways for the Final Rule, see our analysis here. Here are some highlights:
As many know, the goal of the CMMC program is to strengthen cybersecurity across the Defense Industrial Base by implementing a framework to ensure contractors and subcontractors adequately protect sensitive unclassified information under Department of Defense contracts. The framework requires contractors to implement cybersecurity standards at various levels (Levels 1-3) depending on the sensitivity of the information they hold, and to undergo related assessments and provide affirmations regarding compliance.
Once contract requirements are finalized, implementation of the CMMC program will be spread out over four phases spanning three years. With very limited exceptions, all companies contracting with the Department of Defense and their service providers will be impacted by this program.
*Sidney Howe is a Cybersecurity Fellow in the Governmental Practice in the firm’s Washington, D.C. office.
Putting It Into Practice: To be in the best position to be prepared, impacted companies should focus now on CMMC compliance – if they have not already. They can do this by scoping and completing the required assessments, which can take time. Once CMMC requirements are applied to a solicitation, companies will be ineligible to receive contracts if they do not have the required CMMC compliance in place.
