The Department of Defense (DoD) released for comment a proposed rule setting guidelines for implementation of the Cybersecurity Maturity Model Certification (CMMC) program.

The proposal, published Tuesday, would “establish requirements for a comprehensive and scalable assessment mechanism to ensure defense contractors and subcontractors have … implemented required security measures” under the CMMC, which applies to federal contract information and controlled unclassified information.

Comments on the proposal are due by Feb. 26.

The CMMC program was updated in 2021 after its initial version put forward in 2020 was reviewed by the DoD following significant feedback from the public. The 2.0 version has three key features, as defined by the DoD:

  1. Companies entrusted with national security information must implement cybersecurity standards at progressively advanced (tiered) levels;
  2. The department is allowed to verify the implementation of clear cybersecurity standards; and
  3. Certain contractors that handle sensitive unclassified information will be required to achieve a particular CMMC level as a condition of contract award.

The proposal establishes that the requirements of the rule will not be fully implemented until 2026 or later, allowing the department time to consider public feedback and other tweaks.

It calls for four phases of implementation, including:

  1. Introducing self-assessment requirements, effective the date of the CMMC revision to the Defense Federal Acquisition Regulation Supplement;
  2. Six months after Phase 1, the DoD will begin to include Level 2 certification assessment requirements for all applicable solicitations and contracts;
  3. One calendar year after the start of Phase 2, Level 3 certification requirements will be introduced; and
  4. Full implementation, effective one calendar year after the start of Phase 3.

“The phased implementation plan … is intended to address ramp-up issues, provide time to train the necessary number of assessors, and allow companies the time needed to understand and implement CMMC requirements,” said the proposal. “An extension of the implementation period or other solutions may be considered in the future to mitigate any [CMMS third-party assessment organization] capacity issues, but the department has no such plans at this time.”