The U.S. Department of Defense has proposed a rule for the Cybersecurity Maturity Model Certification (CMMC) program, which is designed to ensure that defense contractors and subcontractors are in compliance with information protection requirements for federal contract information (FCI) and controlled unclassified information (CUI). The proposed rule aims to address public concerns and streamline requirements for the program.
Key points:
- The proposed rule for the CMMC program has been published for a 60-day comment period by the U.S. Department of Defense.
- The program aims to ensure that defense contractors and subcontractors are compliant with information protection requirements for FCI and CUI.
- The proposed rule revises certain aspects of the program to address public concerns and streamline requirements.
- The CMMC program now allows for self-assessment for some requirements, prioritizes protecting DoD information, and reinforces cooperation between the DoD and industry in addressing evolving cyber threats.
- Assessment under the CMMC program is required at three levels, starting with basic safeguarding of FCI at Level 1 and increasing to higher levels for protecting against advanced persistent threats.
- DoD estimates that overall program costs will be reduced by allowing self-assessments for certain levels and conducting assessments for Level 3 by government assessors.
- The CMMC program aligns directly with cybersecurity requirements described in NIST Special Publications 800-171 and 800-172.
- Concurrent with the proposed rule, DoD is also requesting comment on eight CMMC guidance documents.
The proposed rule for the CMMC program has been published by the U.S. Department of Defense for a 60-day comment period. The program is aimed at ensuring that defense contractors and subcontractors are compliant with information protection requirements for federal contract information (FCI) and controlled unclassified information (CUI). The proposed rule revises certain aspects of the program to address public concerns and streamline requirements.
The CMMC program now allows for self-assessment for some requirements, simplifying compliance for certain levels. It prioritizes the protection of DoD information and reinforces cooperation between the DoD and industry in addressing evolving cyber threats. The program requires cybersecurity assessment at three levels. Level 1 focuses on the basic safeguarding of FCI, while Level 2 covers general protection of CUI. For a higher level of protection against advanced persistent threats, Level 3 assessments are required.
The proposed rule also adds flexibility to the program by allowing for limited use of Plans of Action and Milestones and a government waiver request process. DoD estimates that allowing for self-assessments for certain levels and having government assessors from the Defense Industrial Base Cybersecurity Assessment Center conduct Level 3 assessments will reduce overall program costs.
The CMMC program aligns directly with cybersecurity requirements described in National Institute of Standards and Technology (NIST) Special Publications 800-171 and 800-172. Alongside the proposed rule, the DoD is also requesting comment on eight CMMC guidance documents.