On January 31, the Department of Defense (“DoD”) released Version 1.0 of its Cybersecurity Maturity Model Certification (“CMMC”). This is the fourth iteration of the CMMC that DoD has publicly released since it issued the first draft in October, and it is intended to be the version that auditors will be trained against, and that will eventually govern defense contractors’ cybersecurity obligations. (We discussed the draft versions of the CMMC in earlier blog posts, as well as DoD’s Version 1.0 release announcement.)
As outlined in more detail below, the CMMC is a framework that “is designed to provide increased assurance to the DoD that a DIB [Defense Industrial Base] contractor can adequately protect CUI [Controlled Unclassified Information] at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.”
DoD stated publicly that it plans to add CMMC requirements to ten Requests for Information (“RFIs”) and ten Requests for Proposals (“RFPs”) by the end of this year, with contractors and subcontractors expected to meet all applicable CMMC requirements at the time of award. DoD has indicated that these RFPs may involve relatively large awards, as it anticipates that each award will impact approximately 150 different contractors at all levels of the supply chain and at various levels of CMMC certification. DoD’s goal is to have CMMC requirements fully implemented in all new contract awards by Fiscal Year 2026.