PH Privacy
U.S. Department of Defense Set to Implement Its Cybersecurity Maturity Model Certification Program With Publication of New Rule
October 24, 2024
By Michelle A. Reed,Aaron Charfoos,Scott M. Flicker,Keith Feigenbaum,& Hunter Nagai
-
Introduction
On October 15, 2024, the Department of Defense (“DoD”) published the final version of its rule implementing the Cybersecurity Maturity Model Certification (“CMMC”) Program under Title 32 of the Code of Federal Regulations (the “Title 32 Rule”).[1] The Title 32 Rule updates DoD’s national security regulations, while a parallel, proposed ruling under Title 48 aims to update the Federal Acquisition Regulation (“FAR”) and Defense Federal Acquisition Regulation Supplement (“DFARS”) (the “Title 48 Rule”) to impose cybersecurity requirements for nearly all DoD contractors later this year.[2] As these long-awaited rules come to fruition, Defense Industrial Base (“DIB”) contractors of all sizes and at all levels (i.e., prime contractor or subcontractor) should assess their current cybersecurity compliance level and consider what will be required to compete for future DoD contracts.
-
Background
DoD initially proposed the Title 32 Rule on December 26, 2023, followed by the proposed Title 48 Rule on August 15, 2024. DoD’s finalization of the Title 32 Rule formally establishes the CMMC Program and outlines the security controls based on the CMMC 2.0 framework. The CMMC 2.0 framework, introduced in November 2021, is designed to enhance cybersecurity across the DIB by requiring contractors to meet specific security standards based on the sensitivity of the information they manage. Under the Title 32 Rule, contractors must comply with the requirements for their respective security level and undergo assessments to confirm compliance.[3] The Title 32 Rule also establishes processes and procedures for the assessment and certification of CMMC compliance, and institutes the roles and responsibilities of the federal government, contractors, and third parties involved in the assessment and certification process.[4]
The Title 32 Rule is set to come into effect on December 16, 2024. Since the rule is considered a major rule, it will be subject to a Congressional review period of up to 60 days prior to becoming finalized into law. Prior to the rule’s implementation, the Title 48 Rule will need to be finalized[5] and the Cyber AB[6]—the CMMC accreditation body—is expected to release its Compliance Assessment Guidelines for CMMC assessors.
-
Overview of the Title 32 Rule
The Title 32 Rule largely maintains the CMMC Program’s original structure but includes several important clarifications regarding its applicability, as well as an adjusted timeline for implementation. A table outlining the three-level CMMC 2.0 framework for assessment has now been codified in the Rule’s Preamble[7]: