Final CMMC rule issued by Defense Department

DefenseScoop reports that the U.S. Department of Defense has unveiled its final Cybersecurity Maturity Model Certification 2.0 rule that would impose updated contractor cybersecurity standards by the middle of next year.

Included in the finalized CMMC 2.0 rule are required third-party or Defense Industrial Base Cybersecurity Assessment Center compliance evaluations of contractors dealing with sensitive data although contractors with less sensitive information would be permitted to undergo self-assessments. Moreover, contractors failing to fulfill CMMC standards would be given conditional certification lasting six months, said the Defense Department. "The Department understands the significant time and resources required for industry to comply with DoD’s cybersecurity requirements for safeguarding CUI and is intent upon implementing CMMC requirements to assess the degree to which they have done so," said the Pentagon, which also noted the publication of the amended Defense Federal Acquisition Regulation Supplement rule, which would result in the inclusion of CMMC requirements in contracts and solicitations, by mid-2025.