Tuesday, December 26, 2023

Review – DOD Publishes CMMC NPRM and Guidance

Today, the Department of Defense published a notice of proposed rulemaking (NPRM) in the Federal Register (88 FR 89058-89138) for the “Cybersecurity Maturity Model Certification (CMMC) Program”. This rulemaking would “establish requirements for a comprehensive and scalable assessment mechanism to ensure defense contractors and subcontractors have, as part of the Cybersecurity Maturity Model Certification (CMMC) Program, implemented required security measures to expand application of existing security requirements for Federal Contract Information (FCI) and add new Controlled Unclassified Information (CUI) security requirements for certain priority programs”. Separately, the DOD published a notice in the Federal Register (88 FR 89139-89140) that provides links to a series of guidance documents that would support the CMMC.

This rulemaking would modify the current CMMC program established by an interim final rule in September 2020. This new version (CMMC 2.0) would have three key features:

• Tiered model,

• Assessment requirement, and

• Implementation through contracts.

Public Comments

The DOD is soliciting public comments on this NPRM. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # DoD-2023-OS-0063. Comments should be submitted by February 26th, 2024. I suspect that efforts will be made to get DOD to extend the comment period because of the holidays.


For more details about this proposed rule, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/dod-publishes-cmmc-nprm-and-guidance - subscription required.

No comments:

/* Use this with templates/template-twocol.html */