Pentagon issues proposed CMMC rule

da-kuk/Getty Images

The long-anticipated draft rule, which will be officially published on Dec. 26, outlines proposed updates to DOD’s cybersecurity requirements for defense contractors and subcontractors who handle sensitive military data.

The Pentagon is poised to release its draft updates to cybersecurity requirements for defense contractors and subcontractors next week, with the proposed rule seeking to tighten up current cyber requirements for firms that handle sensitive military information.

The proposed updates to the Department of Defense’s Cybersecurity Maturity Model Certification — or CMMC — program are set to be officially published in the Federal Register on Dec. 26. CMMC, which went into effect in 2020 and was updated in 2021 to streamline some of its requirements, outlines baseline security standards for the over 70,000 companies that do business with DOD. 

Although the proposed rule has not officially been published, a PDF version of the 234-page document is already accessible through the Federal Register

DOD’s proposed CMMC rule update would, in part, require defense contractors and subcontractors to have “implemented required security measures to expand application of existing security requirements for Federal Contract Information (FCI)” and would “add new Controlled Unclassified Information (CUI) security requirements for certain priority programs.”

A key part of companies’ compliance with CMMC is adhering to the standards outlined in the National Institute of Standards and Technology’s special publication 800-171, which establishes how they should secure CUI — unclassified government data that still requires protection. NIST previously released proposed revisions to 800-171 in November. 

A notice outlining “eight guidance documents for the CMMC program” is also available for download through the Federal Register, although the full materials — besides their titles and summaries of their contents — are not yet accessible. 

The public comment period for the proposed rule and for the associated guidance documents will be 60 days from their publication in the Federal Register.

Small contractors, in particular, have had challenges in the past complying with CMMC’s requirements. Experts have said that firms that plan to attain CMMC certification should move to better align their security practices with government standards — such as NIST 800-171 — now to get ahead of the final rule’s anticipated release sometime in late 2024. 

During a summit hosted by Washington Technology in November, industry representatives said defense firms — particularly smaller companies with less staffing and cybersecurity-focused funding — can work to ensure compliance with the enhanced rules by aligning their practices with publicly released cybersecurity standards and taking advantage of agencies’ private sector-focused cyber initiatives.