The DoD’s Cybersecurity Maturity Model Certification final rule was released on Oct. 15, 2024.
High Contrast
The DoD’s Cybersecurity Maturity Model Certification final rule was released on Oct. 15, 2024.
CMMC cybersecurity requirements are complex, and defense contractors should start preparing now.
Companies must monitor several requirements to meet the new cybersecurity standards.
The Department of Defense (DoD) released a new Cybersecurity Maturity Model Certification (CMMC) final rule on Oct. 15, 2024, outlining a framework to strengthen cybersecurity requirements for defense contractors. The final rule is complex, and defense contractors should start preparing now to understand and adapt to new requirements.
Here are five key requirements to monitor now that the rule has been released:
The CMMC final rule goes into effect December 2024. Organizations seeking certifications (OSCs), assessors and members of the defense industrial base (DIB) are expected to adhere to final requirements through a four-phased implementation rollout.
External service providers (ESPs) that do not process, store or transmit controlled unclassified information (CUI) are exempt from CMMC certification.
OSCs must achieve at least an 80% compliant rating against the 110 security requirements in order to obtain a confidential certification. That said, within 180 days, each open item must undergo and pass a POA&M closeout assessment to achieve full compliance.
Domestic and international organizations will be subject to the same CMMC requirements. No additional time or special accommodations or tailoring will be granted to international contractors.
The affirming official is responsible for ensuring and affirming the contractor’s compliance with CMMC security requirements at multiple phases in the CMMC lifecycle.