top of page

Proposed CMMC Rule Sparks Excitement Among Defense Industry Professionals

GnomeGuard Group

3 min read

Jan 26




GnomeGuard Group Logo
GnomeGuard Group - Providing Compliant Managed Services

A Fresh Look at Cybersecurity in Defense: CMMC Proposed Rule and How to Comment on It 

Hello, tech leaders, compliance experts, and innovative thinkers in the defense industry! There is big news happening: the Department of Defense has just introduced a proposed rule for the Cybersecurity Maturity Model Certification (CMMC) program. This is not a minor update; it's a major change in the cybersecurity landscape, and it's going on right now. 

A New Era of Cybersecurity Compliance

On December 26, 2023, the DoD started a new era of defense cybersecurity with the publication of the proposed rule for CMMC. The proposed CMMC rule sparks considerable attention and dialogue across the defense industry, heralding a transformative era in cybersecurity protocols. This is not just a policy change; it's a request for feedback and participation. Imagine a world where your voice can directly affect cybersecurity in defense contracting. Well, that world is here. The DoD is looking for comments on this proposed rule, along with eight CMMC guidance documents. This is a rare chance for industry professionals like you to have a role in the future of defense cybersecurity. 

The Time is Limited: 60 Days of Influence 

From the day of publication, you have 60 days to share your opinions, issues, and recommendations. That's until February 26, 2024. This period is an excellent opportunity for stakeholders to influence the final version of the CMMC, making sure it's strong, realistic, and responsive to the needs of the defense industry. 

Understanding CMMC: A Quick Summary 

Let's take a quick look at what's being proposed. CMMC has three primary features: 

  1. Raising the Bar for Cybersecurity: Companies holding national security information must implement increasingly advanced cybersecurity measures. 

  1. Assessment for Assurance: The DoD will check the implementation of these cybersecurity measures. 

  1. Conditional Compliance: DoD contractors handling Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) must achieve a certain CMMC level. 

Also, the proposed rule explains phased implementation, with four stages over 2.5 years. This phased approach allows companies to slowly increase their compliance efforts. 

Your Plan for Compliance 

Here's a quick overview of what each CMMC level requires: 

  • Level 1: Focuses on protecting FCI. Requires self-assessment and annual confirmation by a senior official. 

  • Level 2: For those managing CUI. Involves verification of 110 security requirements and could require either a self-assessment or a third-party certification. 

  • Level 3: For the highest priority CUI. Requires implementation of added security requirements and DoD assessment for certification. 

Getting Ready for the Future 

A GnomeGuard Group Gnome
Credit: GnomeGuard Group

While the final rule's implementation may be some time away, the preparation starts now. Defense contractors and related businesses should start aligning their cybersecurity practices with the expected requirements of CMMC. This is not just about compliance; it's about strengthening your cybersecurity defenses in an increasingly digital world. 

Participate in the Conversation 

As leaders and experts in the field, your insights are valuable. This is your chance to contribute to a framework that will protect our nation's sensitive data and shape the future of cybersecurity in defense contracting. So, let's get involved, share our expertise, and together move towards a more secure and resilient defense industry. 

Remember, every comment, every suggestion, and every piece of feedback matters. This is about creating a cybersecurity framework that not only meets today's challenges but is strong enough to adapt to the threats of tomorrow. Let's make our voices heard and contribute to a safer, more secure defense landscape. 


Comment Submission Methods

  1. Federal eRulemaking Portal:

  1. Mail:

  • Address your mail to: Department of Defense, Office of the Assistant to the Secretary of Defense for Privacy, Civil Liberties, and Transparency, Regulatory Directorate, 4800 Mark Center Drive, Attn: Mailbox 24, Suite 08D09, Alexandria, VA 22350–1700.

Important Instructions for Submission:

  • Include Necessary Details: Ensure that all submissions include the agency name and the docket number or RIN for this Federal Register document, which is 2023-27280.

  • Understand Public Availability: Be aware that the general policy for comments and other submissions from the public is to make these available for public viewing on This is standard for submissions received, and they will be displayed without any changes, including any personal identifiers or contact information.

Things to Keep in Mind:

  • Articulate Clearly: When drafting your comment, be clear and specific about your feedback or suggestions.

  • Adhere to Guidelines: Follow any specific guidelines provided on the portal or in the submission instructions, such as word limits or formatting requirements.

  • Be Timely: Remember that the comment period is open for 60 days from the publication date of the proposed rule, so ensure your comments are submitted within this timeframe.

bottom of page