Overview & Analysis of DOD’s CMMC Proposed Rule

On December 26, the Department of Defense (DOD) published its long-awaited Cybersecurity Maturity Model Certification (CMMC) proposed rule in the Federal Register, along with associated guidance documents. The rule describes the CMMC 2.0 program, which includes assessment and certification requirements for 220,000 companies in the DOD supply chain. 

The proposed rule requires DOD suppliers at all tiers to follow specified security requirements depending on the type of government information they handle. More than 75,000 companies will be subject to “Level 2” requirements, which will involve a mandatory third-party assessment and eventually require certification to be eligible to receive DOD contract awards. The DOD is accepting comments until February 26.

For more detailed analysis and insights, read a full report from RJO’s Cybersecurity and Privacy Practice Group on the DOD’s proposed CMMC rule here.