On Oct. 15, the U.S. Department of Defense issued a final rule establishing its Cybersecurity Maturity Model Certification Program requiring federal contractors and subcontractors competing for DOD contracts to demonstrate continued compliance with a range of cybersecurity measures in order to maintain eligibility for performing and winning new federal awards.

The new requirements apply to all contractors and subcontractors on DOD projects that process, store or transmit information on contractor servers that meet the standards for Federal Contract Information or Controlled Unclassified Information.

Requirements vary from a self-assessment of compliance with cybersecurity measures to triennial assessment and certification of compliance by third-party contractors or the DOD, depending on the data involved in a specific contract.

According to analysis by Wiley’s cybersecurity legal practice group, “The final rule also offers some clarity for contractors about the security requirements they will need to address under CMMC 2.0. The final rule incorporates by reference the security requirements in certain existing publications, such as NIST SP 800-171 Revision 2.”

In February 2024, ABC joined the U.S. Chamber of Commerce and eight other groups in submitting comments on the proposed rule calling for more clarity (e.g., definitions), expressing concerns about costs and asking questions regarding capacity and other process and organizational issues. The comments urged flexible implementation of CMMC program requirements.

The final rule is effective Dec. 16, 2024. However, CMMC 2.0 will be phased in over time, and the DOD estimates that full implementation by all defense contractors will take several years.

In addition, the phased implementation of CMMC 2.0 will begin only after the related Defense Federal Acquisition Regulation Supplement rule, Assessing Contractor Implementation of Cybersecurity Requirements––which would implement contractual requirements related to CMMC 2.0 and was proposed in August 2024––is finalized. This rule is expected to be finalized some time in 2025.

On Oct. 11, ABC submitted comments on the August 2024 proposed rule, again calling for critical clarifications and improvements to ensure CMMC 2.0 does not unnecessarily burden federal contractors. ABC also engaged over 200 members to submit comments urging the DOD to improve the rule through ABC’s grassroots regulatory efforts. Finally, ABC joined an Oct. 15 comment letter from a coalition of industry groups.

For more information on CMMC 2.0 and other cybersecurity requirements that affect contractors, visit abc.org/cybersecurity.