Home / Agencies / DOD / 2024-22905
Final Rule

Cybersecurity Maturity Model Certification (CMMC) Program

Agency
Document Number
2024-22905
Published
October 15, 2024
Effective Date
December 16, 2024

Abstract

With this final rule, DoD establishes the Cybersecurity Maturity Model Certification (CMMC) Program in order to verify contractors have implemented required security measures necessary to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The mechanisms discussed in this rule will allow the Department to confirm a defense contractor or subcontractor has implemented the security requirements for a specified CMMC level and is maintaining that status (meaning level and assessment type) across the contract period of performance. This rule will be updated as needed, using the appropriate rulemaking process, to address evolving cybersecurity standards, requirements, threats, and other relevant changes.

Federal Register Source

This document is published by the Office of the Federal Register, National Archives and Records Administration. Access the full regulatory text, preamble, and docket comments below.

View Full Text on FederalRegister.gov →

Opens in new tab · federalregister.gov

Frequently Asked Questions

What is the 2024-22905 Federal Register document?
Document 2024-22905 is a Final Rule published by the Department of Defense in the Federal Register on October 15, 2024, with an effective date of December 16, 2024. With this final rule, DoD establishes the Cybersecurity Maturity Model Certification (CMMC) Program in order to verify contractors have implemented required security measures necessary to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The mechanisms discussed in this rule will allow the Department to confirm a defense contractor or subcontractor has implemented the security requirements for a specified CMMC level and is maintaining that status (meaning level and assessment type) across the contract period of performance. This rule will be updated as needed, using the appropriate rulemaking process, to address evolving cybersecurity standards, requirements, threats, and other relevant changes. View the original at https://www.federalregister.gov/documents/2024/10/15/2024-22905/cybersecurity-maturity-model-certification-cmmc-program.
Is document 2024-22905 an economically significant rule?
No. Document 2024-22905 is not classified as economically significant under Executive Order 12866. Economically significant rules require OIRA review and are estimated to have impacts of $100 million or more per year.
Data sourced from official state legislatures, IAPP, NCSL, and federal regulatory trackers. See our methodology for details. Retrieved and formatted by PlainRegWatch Editorial

Every figure on PlainRegWatch is rendered directly from state source data, no number is typed in by an editor. This page draws directly on federal and state source data, no figure is typed in by an editor. See our editorial standards & corrections policy, the methodology behind these numbers, or report a data error.