US Department of Defense (DoD) officials have been empowered to better assess defense contractors’ cybersecurity protections with the finalization of the latest version of the Cybersecurity Maturity Model Certification (CMMC) program.
Defense contractors will need to pass the program to bid for contracts with the DoD.
The CMMC will verify that the thousands of contractors used by the Department are compliant with existing protections for federal contract information (FCI) and controlled unclassified information (CUI) and are safeguarding that information at a level equal with the risk from cybersecurity threats.
This final rule aligns the program with the cybersecurity requirements described in Federal Acquisition Regulation part 52.204-21 and National Institute of Standards and Technology (NIST) Special Publications (SP) 800-171 Rev 2 and -172.
“CMMC provides the tools to hold accountable entities or individuals that put US information or systems at risk by knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches,” the DoD said in a press release.
“The CMMC Program implements an annual affirmation requirement that is a key element for monitoring and enforcing accountability of a company's cybersecurity status,” the Department added.
The finalized framework is expected to be published in the Federal Register on Tuesday, October 15, and will be effective 60 days following publication.
Evolution of the CMMC Program
Currently, the DoD relies on self-attestation for defense contractor security.
The US government released the first version of the CMMC in January 2020, shortly after the SolarWinds supply chain attack which impacted almost 40 federal defense contractors.
The initial CMMC program was comprised of five progressively advanced levels of cybersecurity standards. Following an internal review, the DoD published an updated CMMC program, 2.0, in November 2021, which refined the rules to three CMMC levels.
The reduction in levels was designed to streamline and simplify the process for small-and medium-sized businesses.
In December 2023, the Department published a proposed rule to amend the CMMC in the federal register, which implemented the DoD’s vision for the revised program outlined in November 2021.
Following a comment period for the proposed rule that concluded on February 26, 2024, a number of significant changes were made to the CMMC. This included the creation of a new taxonomy differentiating the level and type of assessment conducted from the CMMC Status achieved as a result.
With the revised CMMC Program, the Department has also introduced Plans of Action and Milestones (POA&Ms).
POA&Ms will be granted for specific requirements as outlined in the rule to allow a business to obtain conditional certification for 180 days while working to meet the NIST standards.
Achieving Compliance with CMMC
The updated rule will allow DoD contractors to self-assess their compliance when appropriate.
The three levels in the CMMC are designed to provide increased assurance to the Department that defense contractors can adequately protect FCI and CUI at a level commensurate with the risk.
Defense contractors can achieve a specific CMMC Status for their entire enterprise network or an enclave(s), depending upon where the information to be protected is processed, stored or transmitted.
- Level 1. This provides for self-assessment for the basic protection of FCI
- Level 2. This requires general protection of CUI, demonstrated by either third-party assessment or self-assessment at CMMC level 2
- Level 3. This requires higher-level protection of CUI against risk from Advanced Persistent Threats (APTs), with assessment led by the Defense Industrial Base Cybersecurity Assessment Center
The final version of the program clearly identifies the 24 NIST SP 800-172 requirements mandated for CMMC Level 3 certification.