Circle Nov. 10 as when the Defense Department’s new cyber and supply chain security standard for the entire industrial base starts to be implemented, almost six years after Pentagon leadership began talking about it.
The final rule for the Cybersecurity Maturity Model Certification 2.0 standard went into effect in December 2024, while the next step to implement the program into contracts started Tuesday with a regulation released for public inspection.
Also called the 48 CFR rule, its publication amends the Defense Federal Acquisition Regulation Supplement that governs all Pentagon contracts. Industry now has two months’ notice before CMMC 2.0 begins to appear in DOD solicitations.
CMMC 2.0 is the Pentagon’s new set of requirements for companies that house controlled unclassified information or federal contract information in their systems. Companies have up to three levels of compliance they can be certified under, depending on how sensitive the information is.
DOD plans to roll out the program in a four-phase process over the next three years. In the first phase starting Nov. 10, solicitations will require self-assessments at certification Levels 1 and 2 where applicable.
Some Level 2 certifications will require a verification check done by a certified third-party assessor organization if the data is considered more sensitive. Any and all Level 3 applicants will require certification from the Defense Industrial Base Cybersecurity Assessment Center.
The release of the new 48 CFR rule indicates industry can also circle Nov. 10, 2028, as when all DOD solicitations and contracts will mandate some level CMMC compliance for eligibility to bid for the work.
Stay in the know — Washington Technology’s Insider Membership gives you unmatched access to breaking news, in-depth analysis, and insights that federal contractors can’t afford to miss. Join today for 50% off.
