Key Takeaways
- Final Rule and Timeline Established: The Department of Defense (DoD) officially published the final rule for the Cybersecurity Maturity Model Certification (CMMC) 2.0 program in the Federal Register on October 15, 2024. Contractors are expected to begin meeting the new compliance standards in 2025.
- Risk-Based Tiers: The CMMC 2.0 framework uses a three-tier structure to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). Requirements are tiered to align with the sensitivity of the data, ensuring adherence to widely accepted NIST security controls.
- Varying Verification: The required compliance verification method depends on the CMMC level: Level 1 permits self-assessments, while higher levels require mandatory third-party evaluations or government verification by bodies like the Defense Industrial Base Cybersecurity Assessment Center.
CMMC Final Rule Published in the Federal Register
The Department of Defense (DoD) has announced the final rule for Cybersecurity Maturity Model Certification (CMMC) 2.0, and contractors will be expected to meet these standards in 2025. The new guidelines were officially published in the Federal Register on October 15, 2024.
The CMMC program features a three-tier cybersecurity framework that requires defense contractors handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) to achieve compliance at one of the three levels based on the sensitivity of the data. The CMMC 2.0 framework is designed to protect DoD data stored, processed or transmitted on contractor systems from exploitation by ensuring adherence to widely accepted NIST security controls.
Speak to a Compliance Specialist.
Making CMMC Requirements Clearer
This final rule comes after years of work to refine the original CMMC framework, making the requirements clearer for contractors. The revised model permits contractors at Level 1 to perform self-assessments of their cybersecurity compliance. However, those working with more sensitive data will be required to undergo third-party assessments or evaluations by the Defense Industrial Base Cybersecurity Assessment Center to ensure they meet the necessary standards.
Auditwerx Can Assist with CMMC Readiness
Auditwerx is a candidate C3PAO ready to assist with your organization’s CMMC Readiness needs. As a trusted compliance partner, Auditwerx offers high-quality reporting paired with the industry knowledge you need for a seamless reporting experience.
FAQs
The Department of Defense (DoD) published the final rule for the CMMC 2.0 program in the Federal Register on October 15, 2024.
Contractors are expected to begin meeting the final CMMC 2.0 standards in 2025.
It is designed to protect Department of Defense (DoD) data, specifically Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), that is stored, processed, or transmitted on contractor systems.
The CMMC program features a three-tier cybersecurity framework that requires defense contractors to achieve compliance at one of three levels based on data sensitivity.
The revised model permits contractors at Level 1 (the lowest tier) to perform self-assessments of their cybersecurity compliance.
Organizations working with more sensitive data (higher levels) must undergo mandatory third-party evaluations by accredited independent assessors or evaluations by the Defense Industrial Base Cybersecurity Assessment Center.
The framework ensures adherence to widely accepted NIST security controls, aligning with standards used by the National Institute of Standards and Technology.
The final rule came after years of work to refine the original CMMC framework, primarily to make the requirements clearer and less complex for defense contractors.
About the Author
