The U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) Program will become operational at some point in fiscal year 2025. In October, the DOD issued a Final Rule to address evolving cybersecurity requirements and cyber threats while defining the security controls that DOD intends defense contractors and subcontractors to implement. The program will require defense contractors and subcontractors to obtain the requisite certification level depending on whether their respective information systems will process, store, or transmit Federal Contract Information and/or Controlled Unclassified Information (CUI). The Rule spawned a litany of questions during the public comment period, most notably around the area of CUI. In this Feature Comment, Alexander Major and Philip Lee address the fundamental challenge facing the CMMC: how can contractors protect the controlled unclassified data that DOD can’t/won’t/isn’t properly identifying?
