CMMC 2.0 Progressing Through Rulemaking
On December 26, 2023, DOD published the proposed policy rule for the Cybersecurity Maturity Model Certification (CMMC) Program. The content of the rule and comments submitted to date can be reviewed on Regulations.gov (), with the opportunity to submit comments ending on February 26, 2024. Federal rulemaking is expected to continue through 2024 with additional regulatory updates for implementing contractual requirements (proposed changes and final rules associated with DFARS 252.204-7012, 252.204-7020, and 252.204-7021) expected over the next few months. Lockheed Martin and peer prime contractors have worked across industry groups to aggregate comments, convey cybersecurity resource concerns, and promote Government and Industry collaboration to shape DOD Controlled Unclassified Information (CUI) protections across the Defense Industrial Base (DIB).
Current regulatory mandates require DIB companies with DOD CUI to implement NIST 800-171 security requirements. Timeline estimates based on ongoing federal rulemaking may add additional requirements to include the potential for CMMC assessments and/or certifications late 2024 or 2025. All DIB companies who manage controlled unclassified Information (CUI) should have fully implemented and be confidently meeting the underlying NIST 800-171 (r2) requirements, ahead of potential contractual CMMC requirements. Suppliers are encouraged to engage with and/or the to validate preparedness for an anticipated CMMC third-party assessment and certification.
To understand more about CMMC, the underlying NIST 800-171 requirements, or for greater awareness and understanding of the cybersecurity threats facing your organization Lockheed Martin encourages suppliers to participate in the National Defense Information Sharing Analysis Center (ND-ISAC); monitor ND-ISAC DIB Sector Coordinating Council (SCC) Cyber Assist for updates and to support preparedness efforts regarding NIST 800-171 requirements and planned CMMC practices.