For over a year, we have been discussing the Department of Defense’s (DoD) eventual implementation of a Cybersecurity Maturity Model Certification (CMMC) program for Defense contractors, most recently during a webinar in September 2020 entitled CMMC is (Almost) Here! Latest Developments and Best Practices for Government Contractors.
The CMMC framework is part of DoD’s efforts to enhance the protection of controlled unclassified information (CUI) within the federal supply chain. On September 29, the Pentagon released an interim rule under the Defense Federal Acquisition Regulation Supplement (DFARS) providing details on the implementation timeline of CMMC and the requirements defense contractors will have to adhere to starting November 30, 2020.
CMMC Five-Year Rollout
The interim rule specifies that the CMMC program will be introduced in a five-year phased rollout that will be complete by September 30, 2025. After that date, all defense contractors will be required to reach some level of CMMC certification if they are to receive future DoD contracts and subcontracts, except for DoD acquisitions solely for commercially available off-the-shelf (COTS) items. During the rollout, the Under Secretary of Defense for Acquisition and Sustainment (USD (A&S)) will determine and communicate to Contracting Officers which contracts will require contractors to undergo a full third-party CMMC assessment.