### Pentagon Finalizes CMMC Rule, Sets Stage for 2025 Implementation

The Pentagon has taken a significant step towards the implementation of the Cybersecurity Maturity Model Certification (CMMC) by releasing the final rule for the program. The Department of Defense (DoD) aims to integrate CMMC requirements into contracts as early as mid-2025.

Public inspection of the finalized CMMC rule began today, with its official publication in the Federal Register slated for October 15. This rule formalizes the mechanisms and processes required for CMMC, which seeks to ensure that defense contractors adhere to stringent cybersecurity standards for safeguarding critical defense information. A highlight of the program is its shift from self-attestation to mandatory third-party audits for many contractors.

In a statement, the DoD acknowledged the extensive input from businesses and industry associations during the public comment period, thanking them for their collaboration. The department emphasized that this partnership was crucial for achieving the dual objectives of enhancing the security of critical information and simplifying compliance for small and medium-sized businesses.

Separately, the Pentagon introduced a proposed CMMC acquisition rule over the summer, with the comment period set to close on October 14. The final acquisition rule, expected to be published in early to mid-2025, will enable the integration of CMMC requirements into DoD solicitations and contracts.

The formulation of CMMC requirements has been a protracted process, spanning over five years. Driven by concerns about companies' non-compliance with cybersecurity obligations, which exposed sensitive, unclassified data to U.S. adversaries, the DoD has been diligently working on this initiative. The program underwent substantial revisions in 2022, resulting in the streamlined "CMMC 2.0."

During a recent appearance at the Professional Services Council's annual defense conference, Deputy DoD Chief Information Officer Dave McKeown referred to CMMC as a "glacial effort" due to its prolonged development period. However, he assured that its implementation is imminent and will soon be mandated in future contracts.

Under the new rule, CMMC requirements will be introduced gradually via a three-year phased rollout, allowing program managers discretion to include them in contracts during this period. The final rule delineates three distinct levels of CMMC, corresponding with different degrees of cybersecurity controls based on the sensitivity of the information handled.

CMMC Level One permits contractors handling less sensitive federal contract information to self-assess their compliance. In contrast, Level Two requires third-party assessments for contractors dealing with controlled unclassified information (CUI), conducted by auditors authorized by the Cyber Accreditation Body. Level Three, reserved for the highest sensitivity, involves assessments led by the Defense Industrial Base Cybersecurity Assessment Center, incorporating advanced cybersecurity controls from the NIST Special Publication 800-172.

The DoD also introduced a mechanism for granting "Plans of Action and Milestones" (POA&Ms) to contractors who do not fully meet NIST requirements, allowing them to obtain conditional certification for 180 days while they work towards compliance.

As the program moves forward, the Pentagon is encouraging defense contractors to evaluate their current cybersecurity posture and readiness for CMMC assessments. To alleviate cost and complexity concerns, especially for small businesses, the DoD is promoting cloud services and managed solutions that can help meet CMMC requirements. Furthermore, partnerships with large cloud service providers aim to streamline the certification process, potentially creating a system akin to FedRAMP for quicker adoption of compliant environments.

In summary, the finalization of the CMMC rule signifies a pivotal advancement in the Pentagon’s ongoing efforts to fortify the cybersecurity infrastructure of the defense industrial base, with mandatory compliance expected to be rolled out in phases starting mid-2025.