Cybersecurity Maturity Model Certification (“CMMC”) Program Final Rule Announced
October 23, 2024, Covington Alert
On October 15, 2024, the U.S. Department of Defense (“DoD”) released the final Cybersecurity Maturity Model Certification (“CMMC”) Program Rule (“the Rule”). The Rule formally establishes the CMMC Program for DoD and will solidify CMMC as the governing program for imposing and enforcing safeguarding requirements on DoD contractors for Federal Contract Information (“FCI”) and Controlled Unclassified Information (“CUI”). It is one of two complementary sets of regulations that, in combination, will govern operation of the Program and will impose new assessment and affirmation processes for all contractors to be eligible for certain contracts with DoD. The Rule will become effective December 16, 2024, sixty days after publication. Once the related Defense Federal Acquisition Regulation Supplement (“DFARS”) rule is implemented, the CMMC Program will likely have a significant impact on defense contractors and subcontractors storing, processing, or transmitting FCI or CUI.
The Rule has been a long time in the making. We have been advising clients on DoD safeguarding rules since 2013 and specifically about CMMC since it was introduced by DoD in 2019. For background on CMMC leading up to the issuance of the Rule, you can reference our first blog post on CMMC in July 2019 and our updates, including for Version 0.4, Version 0.6, Version 0.7, and Version 1.0. For specific background on Version 2.0, you can reference our initial blog post when it was announced and subsequent updates (here and here).
This client alert 1) provides an overview of the Rule, 2) background on the history of the Rule, 3) a walkthrough of the CMMC Program, 4) an overview of the Rule’s phased implementation, and 5) a discussion on key takeaways for the Rule. A table summarizing the CMMC Program is also included at the end of this client alert.