-
The Pentagon has published the final acquisition rule implementing the Cybersecurity Maturity Model Certification program. The rule, released in on Sep 10 Federal Register, will allow Defense Department procurements to include CMMC assessment requirements. The assessments are intended to ensure that defense contractors are following cybersecurity standards for protecting controlled unclassified information. The Pentagon estimates that 80,000 defense contractors may be required to obtain a CMMC assessment. Officials plan to phase in the requirements over a three-year period.
-
On September 9, the Department of War (DoW) released the final Defense Federal Acquisition Regulation Supplement (DFARS) rule implementing the Cybersecurity Maturity Model Certification (CMMC) Program as described at 32 CFR 170.3 for public inspection in the Federal Register.
The final rule will ensure DoW procurements will include CMMC assessment requirements that ensure defense contractors properly safeguard the Department’s Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
The CMMC program will provide a consistent methodology for assessing compliance with DoW’s cybersecurity requirements.
“We expect our vendors to put U.S. national security at the top of their priority list,” said Kate Arrington, performing the duties of the DoW Chief Information Officer. “By complying with cyber standards and achieving CMMC, this shows our vendors are doing exactly that.”
The Federal Register Notice is available for public inspection at the following location:
https://public-inspection.federalregister.gov/2025-17359.pdf
An introductory course about the CMMC program is available to both Government and industry students at: