Final CMMC 2.0 rule unveiled for November implementation

The U.S. Defense Department, recently renamed as the Department of War by President Donald Trump, has introduced the final rule enforcing Cybersecurity Maturity Model Certification 2.0 standards on defense contractors, which will be effective beginning November 10, reports DefenseScoop.

Under the rule, which amends the Defense Federal Acquisition Regulation Supplement, vendors failing to adhere to CMMC 2.0 standards will be barred from contract awards and task or delivery orders.

Organizations will be mandated to self-evaluate their compliance, with those handling federal contract information to be assigned to CMMC Level 1 or 2, while those managing controlled unclassified information designated under CMMC Level 2 and 3 will be required to have a certified third-party assessor check and Defense Industrial Base Cybersecurity Assessment Center certification, respectively.

Meanwhile, vendors that need to achieve Level 2 or 3 compliance and fail to meet the standards will be provided with a conditional certification valid for 180 days.

"We expect our vendors to put U.S. national security at the top of their priority list. By complying with cyber standards and achieving CMMC, this shows our vendors are doing exactly that," said Pentagon Chief Information Officer Katie Arrington.