Cybersecurity Maturity Model Certification (CMMC)

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Join SPB Lawyers at Several Webinars Next Week

Join Us at the 2024 ANA Masters of Advertising Law Conference

Navigating

Originally posted on Squire Patton Boggs’ The Trade Practitioner blog 


On October 15, 2024, the U.S. Department of Defense (DoD) released its final rule to establish the Cybersecurity Maturity Model Certification (CMMC) Program (Final CMMC Program Rule). The CMMC Program allows the DoD to verify that defense prime contractors and subcontractors (defense contractors) have implemented security safeguards for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) and are maintaining required safeguards during the contract period of performance. The CMMC requirements apply to defense contractors that process, store or transmit FCI or CUI in the performance of a DoD contract or subcontract.

In a parallel effort, the DoD also has proposed an acquisition rule – 48 C.F.R Part 204 CMMC Acquisition Rule or (DFARS rule) – that will amend the Defense Federal Acquisition Regulation Supplement (DFARS) and contractually implement the CMMC Program (32 C.F.R. part 170) through DoD solicitations and contracts. In September we described the proposed DFARS rule, for which the comment period closed on October 15, 2024. The DoD estimates it will publish the final DFARS rule by mid-2025. The effective date of the final DFARS rule (which is 60 days after it is published in the Federal Register) is a key date since that effective date will initiate the CMMC Program’s phased rollout discussed below.Continue Reading Navigating DoD’s CMMC Program Final Rule