Government , Industry Specific , NIST Standards
DOD Unveils Final CMMC Rule for Defense Contractors
New Cybersecurity Maturity Model Certification Rule Paves Way for ImplementationThe U.S. Department of Defense finalized a long-awaited rule for its Cybersecurity Maturity Model Certification program, introducing a new tiered security system to simplify compliance for contractors handling sensitive unclassified information and strengthen protection against cyberthreats.
The Pentagon announced plans to launch "CMMC 2.0" in November 2021, seeking to streamline the certification process and enhance security measures. The new final rule simplifies the process for small- and medium-sized businesses by cutting the number of assessment levels from five to three. The rule also categorizes contractors into tiers based on the sensitivity of the information they handle, with each tier requiring increasingly stronger security measures, according to a Friday statement.
The new rule requires Defense Industrial Base contractors in CMMC's second and third tiers to undergo third-party compliance assessments. This was a major shift from the program's current reliance on self-assessments, and the move aimed at ensuring higher accountability and security standards. The change is meant to "verify that defense contractors are compliant with existing protections for federal contract information" and "protecting that information at a level commensurate with the risk from cybersecurity threats."
The new rule, set to publish in the Federal Register on Oct. 15, clears the path for the Defense to start implementing the CMMC program, with its requirements expected to be included in federal contracts starting next year. Each tier has increasingly advanced requirements, with Level 2 contractors needing to implement 110 security measures from NIST SP 800-171 on top of Level 1 requirements, while Level 3 contractors must fulfill both Level 1 and Level 2 requirements and add 24 more security measures from NIST SP 800-172.
The new rule also implements an "annual affirmation requirement" that will serve as a "key element for monitoring and enforcing accountability of a company's cybersecurity status."
"CMMC provides the tools to hold accountable entities or individuals that put U.S. information or systems at risk by knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches," the Pentagon said.
The 470-page rule permits Level 1 contractors to handle federal contracting information, while Level 2 and Level 3 contractors are authorized to manage specific controlled unclassified information. The Pentagon said that the program aims to reduce costs for first-tier contractors by continuing to allow self-assessments while reserving evaluations by the DIB Cybersecurity Assessment Center exclusively for Level 3 contractors.
The new rule also introduces plans of action and milestones for businesses attempting to obtain certification to help ensure a clear roadmap for compliance. DOD urged businesses in the DIB to "take action to gauge their compliance with existing security requirements and preparedness to comply with CMMC assessments."
Under the rule, Level 3 contractors who do not meet specific security requirements will be given 180 days after the assessment to develop and implement plans of action. DOD said the rule is meant to enforce DIB cybersecurity standards, safeguard sensitive information and ultimately maintain public trust "through high professional and ethical standards."
DOD also said DIB contractors can use certain cloud service offerings to meet the CMMC program's cybersecurity requirements and provided a list of current cybersecurity-as-a-service offerings and resources on its website.