Alert October 14, 2024

DOD Crystalizes CMMC 2.0 Program Rule

October 14, 2024

WHAT: On October 15, 2024, the U.S. Department of Defense (DOD) will publish the final CMMC 2.0 Program rule. DOD’s final rule outlines the mechanisms that DOD will use to prescribe cybersecurity standards for safeguarding federal contract information (FCI) or controlled unclassified information (CUI), and to confirm that covered defense contractors and subcontractors have implemented the security requirements before award of covered contracts and maintain those safeguards during contract performance. The final rule details the tiered model of cybersecurity requirements DOD will use based on the type of information stored on a contractor’s information system and the requirements for certifications and assessments based on the contract’s assigned CMMC level.

WHEN: The final rule will take effect on December 16, 2024 (60 days after publication); however, CMMC’s phased implementation will begin only after the related DFARS Acquisition rule takes effect. The Acquisition proposed rule is open for comment until October 15, 2024 (we covered the proposed Acquisition rule here).

WHAT THIS MEANS FOR INDUSTRY: When the CMMC Program rule and the complementary DFARS Acquisition rule are both finalized and in effect, DOD will begin its phased implementation plan in which contracting officers will assign a CMMC level and assessment type requirement to solicitations and resulting DOD contracts involving the processing, storing, or transmitting of FCI or CUI on a non-federal system. A contractor must meet the CMMC level, as confirmed by the appropriate assessment type, to be eligible for a contract award, unless the agency issues a waiver. The final CMMC Program rule extends Phase 1 of the implementation by six months from the timeline in the December 2023 proposed rule.

The final rule also offers some clarity for contractors about the security requirements they will need to address under CMMC 2.0. The final rule incorporates by reference the security requirements in certain existing publications, such as NIST SP 800-171 Revision 2. DOD foreshadows, however, that the rule “will be updated as needed, using the appropriate rulemaking process, to address evolving cybersecurity standards, requirements, threats, and other relevant changes.”

Wiley’s cross-disciplinary team will follow up with a deeper dive into the key elements and implications of this significant final rule. We previously covered anticipated changes from DOD’s proposed rule for CMMC 2.0 here.

Read Time: 2 min
Jump to top of page

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek