CMMC final rule clarifies addressing assessment gaps, removes notification requirement for information security lapses

The Defense Department is making targeted changes in its acquisition final rule to implement the Cybersecurity Maturity Model Certification program, including clarifications on addressing assessment gaps and information security lapses.

The final rule amends the Defense Federal Acquisition Regulation Supplement and will go into effect on Nov. 10. The first rulemaking to implement CMMC 2.0 established the program in Title 32 of the Code of Federal Regulations and went into effect on Dec. 16, 2024.

“Technical and programmatic...