On Sept. 9, the U.S. Department of Defense issued a final rule implementing its Cybersecurity Maturity Model Certification Program into the Defense Federal Acquisition Regulation, requiring federal contractors and subcontractors competing for DOD contracts to demonstrate continued compliance with a range of cybersecurity measures in order to maintain eligibility for performing and winning new federal awards.

This is the last step in a multiyear process to finalize CMMC regulations, which will now be phased in over a three-year implementation period beginning on the final rule’s effective date, Nov. 10.

The new requirements apply to all contractors and subcontractors on DOD projects that process, store or transmit information on contractor servers that meet the standards for Federal Contract Information or Controlled Unclassified Information.

Requirements vary from a self-assessment of compliance with cybersecurity measures to triennial assessment and certification of compliance by third-party contractors or the DOD, depending on the data involved in a specific contract.

On Oct. 11, ABC submitted comments on the August 2024 proposed rule, calling for critical clarifications and improvements to ensure CMMC 2.0 does not unnecessarily burden federal contractors. ABC also engaged over 200 members to submit comments urging the DOD to improve the rule through ABC’s grassroots regulatory efforts. Finally, ABC joined an Oct. 15 comment letter from a coalition of industry groups.

Based on public comments by ABC and others, the final rule removed a burdensome and duplicative requirement to report lapses in information security to the contracting officer within 72 hours, provided a definition of Federal Contract Information and made other clarifications.

For more information on ABC’s engagement on the development of this final rule, as well as compliance resources and member-only webinar recordings, visit ABC’s Cybersecurity Resource Guide.