The Defense Department’s (DoD) current interim rule for the Cybersecurity Maturity Model Certification (CMMC) will take full effect on December 1, said Katie Arrington, CISO for DoD’s acquisition office, at an October 28 virtual event organized by C4ISRNET.
The interim rule that implements the CMMC program was posted in the Federal Register on Sept. 29 with a call for public comment. The CMMC program aims to establish a range of mandatory, audited cybersecurity standards for all companies participating in the defense industrial base (DIB). Version 1.0 of the CMMC rule was rolled out by DoD in January.
“The [CMMC] rule change goes into effect on December 1 of this year,” Arrington said. “As of December 1, cybersecurity is in all contracts” issued by DoD after that date, she said.
While the rule goes into effect December 1, Arrington said DoD “may need to adjudicate” some of the comments that were filed in the public comment proceeding, and said that will likely take place in January and February 2021.
Arrington also said that DoD finalized its statement of work with the CMMC Accreditation Body (AB), which is in charge of operationalizing CMMC assessments and training within the DoD contractor community, and other communities that may end up adopting the CMMC. “We are moving forward,” Arrington said.