The U.S. Department of Defense (DoD) has published updated rules for the Cybersecurity Maturity Model Certification (CMMC) program. The CMMC is a unified standard for security introduced by the DoD to strengthen the cybersecurity of the defense industrial base. The new rules will allow for self-assessment for some requirements, prioritize the protection of DoD information, and promote collaboration between the DoD and industry in addressing evolving threats. Defense contractors and subcontractors that have access to controlled unclassified information (CUI) will be required to demonstrate the maturity of their own cybersecurity programs. The CMMC requirements could come into effect in contractor solicitations as early as summer 2024.
– The DoD has published updated rules for the CMMC program, a unified standard for security in the defense industrial base.
– The new rules will allow for self-assessment, prioritize DoD information protection, and promote collaboration between the DoD and industry.
The U.S. Department of Defense (DoD) has announced the release of updated rules for the Cybersecurity Maturity Model Certification (CMMC) program. The CMMC is a unified standard for security that aims to strengthen the cybersecurity of the defense industrial base. The new rules, known as CMMC 2.0, will introduce several changes to the certification program, including the ability for contractors to perform self-assessments for some requirements. This change is expected to streamline the certification process and reduce the burden on contractors. The updated rules will also prioritize the protection of DoD information and reinforce cooperation between the DoD and industry in addressing evolving threats.
Under CMMC 2.0, defense contractors and subcontractors that have access to controlled unclassified information (CUI) will be required to demonstrate the maturity of their own cybersecurity programs against a set of progressively more advanced capabilities. This will help ensure that contractors are equipped to handle the evolving threat landscape and maintain the security of sensitive DoD information.
The release of the updated rules comes after nearly two years of anticipation. The original CMMC program was introduced by the DoD in 2021 and aimed to bring about a cultural shift within engineering and test organizations by emphasizing the importance of cybersecurity. The program required defense contractors to achieve a designated level of cybersecurity maturity through a third-party assessment. However, the program faced criticism for its heavy reliance on external assessments and the associated costs and administrative burden.
The new rules address some of these concerns by allowing contractors to perform self-assessments for certain requirements. This change is expected to reduce costs and streamline the certification process, making it more accessible for small and medium-sized businesses. However, it is important to note that not all requirements will be eligible for self-assessment, and contractors will still need to undergo third-party assessments for certain aspects of their cybersecurity program.
Additionally, the updated rules prioritize the protection of DoD information by outlining specific requirements and standards that contractors must meet. This is in response to the increasing sophistication of cyber threats and the need for stronger protections against potential breaches and cyber attacks. The rules also promote cooperation between the DoD and industry to address evolving threats, highlighting the importance of collaboration in maintaining robust cybersecurity defenses.
The release of the updated rules is a significant development in the ongoing effort to enhance cybersecurity in the defense industrial base. By emphasizing the importance of maturity and collaboration, the CMMC program aims to ensure that defense contractors have the necessary cybersecurity capabilities to protect sensitive DoD information. The new rules, with their focus on self-assessment, prioritization of information protection, and cooperation between the DoD and industry, represent a step forward in achieving this goal.