The Department of Defense is poised to issue one of two final rules governing Cybersecurity Model Maturity Certification (CMMC) requirements.  This rule, which will become effective 60 days after publication in the Federal Register, covers the IT security requirements contractors must have when they handle Controlled Unclassified Information (CUI) or Federal Contract Information (FCI).  An advanced copy of the rule states, “To comply with DFARS clause 252.204-7012, contractors are required to develop a SSP (Systems Security Plan) detailing the policies and procedures their organization has in place to comply with NIST SP 800-171. The SSP serves as a foundational document for the required NIST SP 800-171 self-assessment. To comply with 48 CFR 252.204-7019 (DFARS provision 252.204-7019) and DFARS clause 252.204-7020, self-assessment scores must be submitted.  The highest score is 110, meaning all 110 NIST SP 800-171 security requirements have been fully implemented. If a contractor’s Supplier Performance Risk System (SPRS) score is less than 110, indicating security gaps exist, then the contractor must create a plan of action identifying security tasks that still need to be accomplished. In essence, an SSP describes the cybersecurity plan the contractor has in place to protect CUI…”  There are three levels of potential CMMC certification.  Level One allows companies to self-certify meeting applicable NIST standards, while Levels Two and Three require third party attestation.  DOD estimates that over 8,000 companies will be required to obtain third party certification.   This final rule establishes the CMMC program and processes into law.  DOD published a separate proposed CMMC acquisition rule this past summer. The comment period on the proposed acquisition rule closes today, October 14^th.   DOD expects to incorporate CMMC language into covered contracts in early to middle 2025.