After months of anticipation, the Defense Department has released a proposed rule for how it will incorporate Cybersecurity Maturity Model Certification requirements into defense contracts.

The Thursday Federal Register notice confirms several things we have known since the CMMC proposed rule was released in December.

Most importantly, the CMMC rule will have a phased rollout once the rule becomes final and that is widely expected to happen in early 2025.

During the phase-in period, individual program offices will make the decision of whether CMMC will be a requirement. But by the end of the phase-in, all defense contracts will have a requirement for either of the three CMMC compliance levels.

Level 1 continues to be self-assessment for CMMC compliance. Levels 2 and 3 require increasing levels of third-party assessments.

The new proposed rule also seeks to clarify several definitions involving CMMC, including what will be considered Controlled Unclassified Information.