Pentagon Releases Long-Awaited Contractor Cybersecurity Rule

Government Contracts attorney Amy Fuentes was quoted in an article published by the Information Security Media Group about the U.S. Department of Defense's (DOD) final Cybersecurity Maturity Model Certification (CMMC) rule and its phased rollout over the next three years. The article detailed that the rule sets three CMMC levels tied to the sensitivity of information handled, introduces self-attestation for Federal Contract Information (FCI) and third‑party or Defense Contract Management Agency (DCMA) assessments for Controlled Unclassified Information (CUI), excludes commercial off-the-shelf (COTS) procurements and makes eligibility contingent on current CMMC status. Ms. Fuentes noted the breadth of the rollout means compliance planning cannot wait, as contractors across the supply chain will need to operationalize governance, assessments and supplier controls to continue competing for solicitations and awards.

"Despite efforts to minimize the burden of compliance on small businesses and the defense industrial base by using phased implementation, the rule will eventually impact more than 300,000 organizations," she said.

READ: Pentagon Releases Long-Awaited Contractor Cybersecurity Rule