Page 137 - Cyber Defense eMagazine March 2024
P. 137
Department of Defense Publishes Long-Awaited
CMMC Proposed Rule
By Richard Arnholt, Member, Bass, Berry & Sims & Adam Briscoe, Associate, Bass, Berry &
Sims
On December 26, 2023, the wait was over. After more than two years of watching as the Department of
Defense (DoD) abandoned its initial vision for the CMMC Program (CMMC 1.0) and announced the
“CMMC 2.0” Program in November 2021, federal contractors, government organizations, and other
industry groups finally laid their eyes on the new Cybersecurity Maturity Model Certification (CMMC)
Program proposed rule.
The rule is designed to create a central mechanism to verify that sensitive unclassified information living
on a DoD contractor’s information systems is protected with adequate and standardized safeguards. It
attempts to place the burden on DoD contractors and subcontractors to effectively demonstrate that
sensitive information on their systems is adequately protected with the necessary security measures.
These new CMMC requirements apply to “[a]ll DoD contract and subcontract awardees that will process,
store, or transmit information that meets the standards for FCI [Federal Contractor Information] or CUI
[Contractor Unclassified Information] on contractor-controlled information systems.” The DoD estimates
that roughly 220,000 contractors, making up the majority of the defense supply chain, will need to comply
with some component of the proposed rule. However, there are notable exceptions to these new
requirements, including contracts or orders exclusively for commercially available off-the-shelf (COTS)
items, contracts or orders valued at or under the micro-purchase threshold, and those involving “Internet
Service Providers or telecommunications service providers.”
Cyber Defense eMagazine – March 2024 Edition 137
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
