The US Department of Defense this week published a proposed rule and requested public feedback for the Cybersecurity Maturity Model Certification (CMMC) program.
The CMMC program is meant to establish an assessment mechanism to verify that defense contractors and subcontractors have implemented the security measures required to protect federal contract information (FCI) and controlled unclassified information (CUI).
The DoD currently demands that contractors and subcontractors implement the security protections detailed in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800–171 Rev 2.
DoD partners are required “to provide adequate security for sensitive unclassified DoD information that is processed, stored, or transmitted on contractor information systems and to document their implementation status”, and the CMMC enables the Pentagon to verify that these protections have been implemented and are maintained throughout the contract period.
The newly published rule is a revision of certain aspects of the program, in line with public feedback received after the initial CMMC program was published in September 2020.
According to the DoD, the revision allows the self-assessment of certain requirements, to simplify compliance, sets forth priorities for protecting DoD information, and reinforces cooperation between the department and industry.
The CMMC program requires a cybersecurity assessment at three levels, starting with the basic protection of FCI and going to general protection of CUI at level 2 and higher safeguarding against advanced persistent threats at level 3.
“DoD estimates overall program costs will be reduced by allowing for self-assessments for Level 1 and some Level 2 assessments and minimizing cost to industry for Level 3 assessments by having Government assessors from Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) conduct these assessments,” the department says.
The Pentagon has opened CMMC for public comment for a 60-day period and is also requesting feedback on eight CMMC guidance documents and new information collections.
Related: CISA Seeks Public Opinion on Google Workspace Secure Configuration Baselines
Related: Over 12,000 Cyber Incidents at DoD Since 2015, But Incident Management Still Lacking
Related: US DoD Launches Vuln Disclosure Program for Contractor Networks
