On March 4, 2024, Dismas Locaria and Christopher Griesedieck published “The New Cybersecurity Maturity Model Certification Program Rule: FAQs for Federal Contractors and Subcontractors” in the Government Contracting Law Report. The following is an excerpt:
The Department of Defense (DoD) has delivered its proposed Cybersecurity Maturity Model Certification Program rule (CMMC), including several related guidance documents. The proposed rule is brand new, but we answer several “frequently asked questions” federal contractors and subcontractors may already have about it.
WHAT IS CMMC AGAIN?
DoD has been developing the CMMC Program for several years now. DoD describes it as a new “assessment mechanism” designed to “ensure defense contractors and subcontractors have . . . implemented required security measures to expand application of existing security requirements for Federal Contract Information (FCI) and add new Controlled Unclassified Information (CUI) security requirements for certain priority programs.”