Defense Department,
With this final rule, DoD establishes the Cybersecurity Maturity Model Certification (CMMC) Program in order to verify contractors have implemented required security measures necessary to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The mechanisms discussed in this rule will allow the Department to confirm a defense contractor or subcontractor has implemented the security requirements for a specified CMMC level and is maintaining that status (meaning level and assessment type) across the contract period of performance. This rule will be updated as needed, using the appropriate rulemaking process, to address evolving cybersecurity standards, requirements, threats, and other relevant changes.
Document Headings Document headings vary by document type but may contain the following: the agency or agencies that issued and signed a document the number of the CFR title and the number of each part the document amends, proposes to amend, or is directly related to the agency docket number / agency internal file number the RIN which identifies each regulatory action listed in the Unified Agenda of Federal Regulatory and Deregulatory Actions See the Document Drafting Handbook for more details. Department of Defense Office of the Secretary 32 CFR Part 170 [Docket ID: DoD-2023-OS-0063] RIN 0790-AL49 AGENCY: Office of the Department of Defense Chief Information Officer (CIO), Department of Defense (DoD). ACTION: Final rule. SUMMARY: With this final rule, DoD establishes the Cybersecurity Maturity Model Certification (CMMC) Program in order to verify contractors have implemented required security measures necessary to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The mechanisms discussed in this rule will allow the Department to confirm a defense contractor or subcontractor has implemented the security requirements for a specified CMMC level and is maintaining that status (meaning level and assessment type) across the contract period of performance. This rule will be updated as needed, using the appropriate rulemaking process, to address evolving cybersecurity standards, requirements, threats, and other relevant changes. DATES: This rule is effective December 16, 2024. The incorporation by reference of certain material listed in this rule is approved by the Director of the Federal Register as of December 16, 2024. FOR FURTHER INFORMATION CONTACT: Ms. Diane Knight, Office of the DoD CIO at osd.pentagon.dod-cio.mbx.cmmc-inquiries@mail.mil or 202-770-9100. SUPPLEMENTARY INFORMATION: History of the Program The beginnings of CMMC start with the November 2010, Executive Order (E.O.) 13556, [ 1 ] Controlled Unclassified Informatio…
Other Federal Register documents from the same docket.
Submission for OMB Review; Comment Request
Submission for OMB Review; Comment Request
Posting of Informational Video: Cybersecurity Maturity Model Certification (CMMC) Program
Cybersecurity Maturity Model Certification (CMMC) Program
Citation: 89 FR 83092
