United States: DOD Publishes Video Overview Of CMMC Program And Logistics

WHAT: On February 16, 2024, the U.S. Department of Defense (DOD) posted a 40-minute video overview of DOD's proposed requirements for the Cybersecurity Maturity Model Certification (CMMC) program. The video is available here, and there is an accompanying notice in the Federal Register with a link to the video. As many contractors get ready to work with and use the CMMC program, any guidance from the government may help them understand compliance challenges.

The video discusses the proposed rule that DOD published on December 26, 2023, which outlines the CMMC program's security, assessment, and affirmation requirements for contractors that handle federal contract information and controlled unclassified information. Comments on the proposed rule are still due by February 26, 2024. We previously summarized the proposed rule here.

WHAT DOES THIS MEAN FOR INDUSTRY: DOD released the video to "improve understanding of the proposed CMMC requirements and increase impact of the public comment period." If you have been following the CMMC program over the last few years, you'll already be familiar with the main points DOD emphasized throughout the video.

• DOD will use the CMMC program to verify contractor compliance with existing cybersecurity requirements.
• DOD is implementing the CMMC program through two related rulemakings: (1) a "program rule" will amend Title 32 of the Code of Federal Regulations (this is what DOD proposed on December 26, 2023), and (2) an "acquisition rule" will amend the DFARS, which appears in Title 48 of the Code of Federal Regulations (this remains pending in DFARS Case 2019-D041).
• DOD intends to publish a proposed version of the acquisition rule "this year."
• DOD plans to synchronize the effective dates for the program rule and the acquisition rule so that both become final and effective at the same time.
• DOD will begin the four-phase implementation period only after both rules are effective.
• DOD aims to begin this implementation process by FY 2025, the same fiscal year in which DOD originally anticipated that it would complete its phase-in plan for the predecessor CMMC 1.0 program.
• DOD remains committed to implementing the CMMC program.

Wiley's cross-disciplinary Government Contracts, National Security, and Privacy, Cyber & Data Governance teams will continue to monitor these developments.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.