Key Points:
- The US Department of Defense (DOD) is close to finalizing new cybersecurity rules for its contractors.
- The rules aim to ensure that contractors and subcontractors are implementing information security measures required by the DOD.
- MSPs will no longer be required to comply with Federal Risk and Authorization Management Program (FedRAMP) rules.
- Manufacturers will no longer be required to meet NIST SP 800-171 cybersecurity standards.
The US Department of Defense (DOD) is making progress in implementing new cybersecurity rules for its contractors, bringing them closer to the finish line. The rules, known as Cybersecurity Maturity Model Certification (CMMC) 2.0, aim to establish a comprehensive and scalable assessment mechanism within the DOD’s Cybersecurity Maturity Model Certification (CMMC) program. The goal is to ensure that contractors and subcontractors are implementing the necessary information security measures required by the DOD.
The DOD has previously relied on security self-assessments by its suppliers, which has come under criticism from its inspector general for weak supervision of suppliers. A report released by the inspector general found that DOD contract officials have consistently failed to establish processes to verify contractor compliance with federal cybersecurity requirements. The DOD has also been involved in investigations targeting government contractors suspected of fraudulently attesting their compliance with cybersecurity standards.
The CMMC program is a response to these issues, providing a way for the DOD to assess and verify compliance with security requirements. It also aims to protect the DOD’s supply chain from losses in intellectual property and controlled unclassified information (CUI), which can undermine national defense and the economy.
One important change in the new CMMC 2.0 rules is how they treat managed service providers (MSPs). Previous versions of the rules caused concern among MSPs about the requirement to comply with Federal Risk and Authorization Management Program (FedRAMP) rules. The new rules clarify that MSPs will not be subjected to FedRAMP moderate requirements, but will still need to comply with the same NIST requirements for controlled unclassified information (CUI) as other contractors with the same information.
Another significant change is that manufacturers will no longer be required to meet NIST SP 800-171 cybersecurity standards. These standards were designed for IT networks and information systems, and were not well-suited for manufacturing environments. Manufacturers will now be exempt from these assessments, which will provide them with relief and enable them to focus on operational technology.
The proposed version 2.0 of the CMMC rules was published in the Federal Register in December, and interested parties have until February to file comments before the rules are finalized by the DOD.