Cybersecurity Maturity Model Rule: Power Up Your Digital Defense!

December 27, 2023
1 min read

The U.S. Department of Defense has proposed a rule for the Cybersecurity Maturity Model Certification (CMMC) program, which is designed to ensure that defense contractors and subcontractors are in compliance with information protection requirements for federal contract information (FCI) and controlled unclassified information (CUI). The proposed rule aims to address public concerns and streamline requirements for the program.

Key points:

  • The proposed rule for the CMMC program has been published for a 60-day comment period by the U.S. Department of Defense.
  • The program aims to ensure that defense contractors and subcontractors are compliant with information protection requirements for FCI and CUI.
  • The proposed rule revises certain aspects of the program to address public concerns and streamline requirements.
  • The CMMC program now allows for self-assessment for some requirements, prioritizes protecting DoD information, and reinforces cooperation between the DoD and industry in addressing evolving cyber threats.
  • Assessment under the CMMC program is required at three levels, starting with basic safeguarding of FCI at Level 1 and increasing to higher levels for protecting against advanced persistent threats.
  • DoD estimates that overall program costs will be reduced by allowing self-assessments for certain levels and conducting assessments for Level 3 by government assessors.
  • The CMMC program aligns directly with cybersecurity requirements described in NIST Special Publications 800-171 and 800-172.
  • Concurrent with the proposed rule, DoD is also requesting comment on eight CMMC guidance documents.

The proposed rule for the CMMC program has been published by the U.S. Department of Defense for a 60-day comment period. The program is aimed at ensuring that defense contractors and subcontractors are compliant with information protection requirements for federal contract information (FCI) and controlled unclassified information (CUI). The proposed rule revises certain aspects of the program to address public concerns and streamline requirements.

The CMMC program now allows for self-assessment for some requirements, simplifying compliance for certain levels. It prioritizes the protection of DoD information and reinforces cooperation between the DoD and industry in addressing evolving cyber threats. The program requires cybersecurity assessment at three levels. Level 1 focuses on the basic safeguarding of FCI, while Level 2 covers general protection of CUI. For a higher level of protection against advanced persistent threats, Level 3 assessments are required.

The proposed rule also adds flexibility to the program by allowing for limited use of Plans of Action and Milestones and a government waiver request process. DoD estimates that allowing for self-assessments for certain levels and having government assessors from the Defense Industrial Base Cybersecurity Assessment Center conduct Level 3 assessments will reduce overall program costs.

The CMMC program aligns directly with cybersecurity requirements described in National Institute of Standards and Technology (NIST) Special Publications 800-171 and 800-172. Alongside the proposed rule, the DoD is also requesting comment on eight CMMC guidance documents.

Latest from Blog

Top CISA official looks back on four years of cyber work

TLDR: Eric Goldstein, a top official at CISA, reflects on progress made in cybersecurity during his tenure. Key achievements include understanding cyber risks, collaboration with industry, and encouraging secure product development. Eric

Juggling AI cybersecurity highs and lows

TLDR: At the 2024 MIT Sloan CIO Symposium, industry leaders discussed the challenge of balancing AI’s benefits with its security risks, particularly focusing on generative AI. While generative AI can bring benefits

Get your free Cyber Security eBook now Valued at $169

“`html TLDR: Key Points: Claim your complimentary eBook worth $169 for free before May 22. The eBook covers practical applications of cyber security and network security for professionals, engineers, scientists, and students.