Defense Department Outlines Its Future Cybersecurity Program
Thursday, January 25, 2024
DoD Cybersecurity Maturity Model Certification
Print Mail Download i

The Department of Defense published a much-anticipated Proposed Rule at the end of last year for its Cybersecurity Maturity Model Certification program. The proposed rule is our first comprehensive look at the latest iteration of the CMMC program (referred to as CMMC 2.0), which will become effective once final changes are made to DoD regulations for contractors. The program attempts to streamline the various DoD cybersecurity requirements and provide greater flexibility in the certification process.

As many are aware, the CMMC program is the DoD’s method to ensure that defense contractors and their service providers implement required cybersecurity measures. Under the program, companies will need to achieve a level of certification (either through self-assessment or third-party assessment) based on the sensitivity of the information related to the DoD program before they can receive contract awards.

CMMC 2.0 introduced a tiered model (with three levels). Under the proposed rule, there would also be a four-phase, 2.5 year approach for implementation of the program starting with the basic requirements and progressing to the most rigorous requirements. Once the program starts to take effect, companies will need to meet the requirements associated with the current phase and CMMC level associated with their contracts.

There is a 60-day comment period for the Proposed Rule, with comments due February 26, 2024. Comments can be submitted here. We expect there will be a significant number of comments submitted in response to the Proposed Rule. In conjunction with this proposed rule, DoD is also updating the DoD regulations for contractors through separate rulemaking, which is the trigger for the CMMC program taking effect. This creates uncertainty as to when program implementation will officially begin, but we anticipate the first phase of implementation could begin as early as late 2024, but more likely in 2025. For a more complete briefing please visit our recent blog post here.

Putting It into Practice: Given that the requirements for each CMMC Level are unlikely to change, defense contractors and companies that serve the defense industry should begin executing on their plans for how to implement the CMMC 2.0 obligations. Even outside the defense industry, the CMMC standards are worth reviewing. They may be a guidepost for best practices and inform data security requirements for companies in critical infrastructure and other sectors.

Copyright © 2024, Sheppard Mullin Richter & Hampton LLP.

Current Legal Analysis

More from Sheppard, Mullin, Richter & Hampton LLP

CFPB Announces Update in Continued War on Mortgage Servicing Junk Fees
by: A.J. S. Dhaliwal , Mehul N. Madia
Kansas Enacts Earned Wages Access Law
by: A.J. S. Dhaliwal , Mehul N. Madia
New York Broadly Revises Hospital Financial Assistance, Medical Debt Collection and Related Requirements
by: Carmen Jule
Utah’s New AI Disclosure Requirements Effective May 1
by: Liisa M. Thomas , Kathryn Smith
The CPPA Signals Focus on Data Minimization and Consumer Requests
by: Brittany Walter
Nebraska Fourth State to Enact Privacy Law in 2024
by: Liisa M. Thomas , Kathryn Smith
Solving for Physician Burnout: Creating a Culture of Psychological Safety
by: Kathleen M. O'Neill , Samantha Young
CMS Finalizes Federal Minimum Staffing Standards for Nursing Homes
by: Lourdes Martinez , Gregory R. Smith
New Program Under Biden Executive Order to Prevent Access to American’s Sensitive Personal Data by Foreign Actors
by: Townsend L. Bourne , Jordan Mallory
FTC Votes to Ban Noncompete Agreements
by: John D. Carroll , Leo Caseria

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins