After a nearly five-year rulemaking process, the U.S. Department of Defense (DoD) published the Final Cybersecurity Maturity Model Certification 2.0 (CMMC) program rule in the Federal Register on Oct. 15, 2024, codified at 32 CFR Part 170. Contract clauses implementing the CMMC program rule will be issued as part of the Defense Federal Acquisition Supplement, and DoD expects to require CMMC certifications as a condition of award beginning in 2025 as part of a phased-in approach.
The final CMMC program rule is the culmination of a lengthy rulemaking process to implement third-party certified cybersecurity program standards for the Defense Industrial Base. The DoD significantly revised CMMC program requirements since the inception of CMMC 1.0 in 2020. At its most basic level, the CMMC program is a transition from a self-certification model for cybersecurity compliance, to a third-party verification process contemplated by the CMMC program rule.
Read on to learn more about the final rule and its implications for contractors and subcontractors.