Cybersecurity Maturity Model Certification (CMMC) 2.0

On August 15, 2024, DoD published proposed revisions to the Defense Federal Acquisition Regulation Supplement (DFARS) rule for Cybersecurity Maturity Model Certification (CMMC) 2.0. The timeline for CMMC phased implementation was not updated in the proposed revision and rulemaking is still expected to extend into 2025.

The content of the rule and comments submitted to date can be reviewed and tracked on Regulations.gov (Docket 2020-0034-0194), with the opportunity to submit comments ending on October 15, 2024. Lockheed Martin and peer prime contractors are collaborating and engaging industry groups to aggregate comments, convey cybersecurity resource concerns and promote Government and Industry collaboration to shape DoD Controlled Unclassified Information (CUI) protections across the Defense Industrial Base (DIB).

DIB companies with DoD CUI are reminded that current regulatory mandates remain unchanged; DFARS 252.204-7012 and DFARS 252.204-7020 continue to require organizations to assess and implement NIST SP 800-171 Revision 2 security requirements (per DOD Class Deviation for 252.204-7012), and submit their DoD NIST Assessment Methodology Score into the Supplier Performance Risk System (SPRS). All DIB companies managing CUI should have fully implemented – and be confidently meeting – NIST SP 800-171 (r2) requirements. Suppliers are encouraged to engage with NIST MEP and/or the CyberAB Marketplace to validate preparedness for an anticipated CMMC third-party assessment and certification. Additionally, The “DOD encourages all DIB companies to join ND-ISAC...” for threat intelligence and sharing but it is also a platform to learn more about CMMC via the National Defense Information Sharing Analysis Center (ND-ISAC) / DIB Sector Coordinating Council (SCC) Cyber Assist website.

Lockheed Martin also hosts monthly Supply Chain Cyber Academy sessions with partners from the National Defense Information Sharing and Analysis Center/Defense Industrial Base Sector Coordinating Council to provide education and awareness for CMMC, NIST SP 800-171, cyber DFARS, and cybersecurity best practices. You can register for the monthly sessions by reviewing their calendar below.

We encourage suppliers to take advantage of these resources to support on-going efforts to protect CUI in accordance with NIST SP 800-171 and potential future CMMC requirements.