DOD Proposed Rule Solidifies Plans for CMMC 2.0 Program: Security Requirements, Assessments, Affirmations, and Some Flow-Down Details
WHAT: The U.S. Department of Defense (DOD) has issued a proposed rule setting forth the requirements for its long-anticipated Cybersecurity Maturity Model Certification 2.0 (CMMC) program. The proposed rule primarily addresses security, assessment, and affirmation requirements for contractors that handle federal contract information (FCI) and controlled unclassified information (CUI). The proposed rule also outlines requirements for flow-down of CMMC obligations to subcontractors.
DOD announced that there will be eight CMMC program guidance documents that further describe assessment processes and provide additional guidance for contractor compliance. We will follow up with a deeper dive into the key elements and implications of this significant proposed rule. We’ve previously covered anticipated changes from the CMMC 1.0 program here.
WHEN: DOD issued the proposed rule on December 26, 2023, with a 60-day comment period (through February 26, 2024).
