Department of Defense Finalizes Rule Adding New Cybersecurity Requirements for Defense Contractors and Subcontractors

Source: JDSupra

The U.S. Department of Defense (DOD) has published a Final Rule to implement the Cybersecurity Maturity Model Certification (CMMC) program, which establishes minimum cybersecurity requirements for nearly all DOD contracts. The Final Rule is part of the DOD’s efforts to bolster the protection of sensitive information within the defense industrial base against evolving cybersecurity threats. The Final Rule is effective December 16, 2024, and will require proactive measures by contractors and subcontractors seeking to partner with the DOD.

The Final Rule will be implemented in four phases over a three-year period. Relatedly, the DFARS Proposed Rule outlines how CMMC Program requirements will be incorporated into contracts. Final comments on the DFARS Proposed Rule closed on October 15, 2024, and a Final Rule is expected in mid-2025. This will serve as the effective date for the phase-in process to begin. Once this occurs, solicitations and defense contracts that require contractors to process, store, or transmit federal contract information (FCI) or controlled unclassified information (CUI) on a non-federal system will condition contract eligibility on a contractor’s ability to meet these new requirements.

Click HERE to read the full article