Cybersecurity Maturity Model Certification program for defense-related research.
The final CMMC Program rule published in October 2024 by the DoD Office of the Secretary establishing the Cybersecurity Maturity Model Certification framework for protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in the defense supply chain.
Supplemental summary document and press release from DoD announcing the final CMMC Program rule.
The proposed rule for the CMMC Program published in December 2023, which was superseded by the final rule in October 2024.
Joint comments submitted by ACE, AAU, APLU, COGR, and EDUCAUSE on February 26, 2024 in response to the proposed CMMC rule.
In the September 10, 2025, Federal Register, the Department of Defense (DoD) issued a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate contractual requirements related to the final Cybersecurity Maturity Model Certification (CMMC) program rule. The new rule formalizes the ability of the DoD to include CMMC requirements as a condition of contract award, to include either Federal Contract Information (FCI), Controlled Unclassified Information (CUI), or both.
