Connect with us

Hi, what are you looking for?



Pentagon Wants Feedback on Revised Cybersecurity Maturity Model Certification Program

DoD is requesting public opinion on proposed changes to the Cybersecurity Maturity Model Certification program rules.

The US Department of Defense this week published a proposed rule and requested public feedback for the Cybersecurity Maturity Model Certification (CMMC) program.

The CMMC program is meant to establish an assessment mechanism to verify that defense contractors and subcontractors have implemented the security measures required to protect federal contract information (FCI) and controlled unclassified information (CUI).

The DoD currently demands that contractors and subcontractors implement the security protections detailed in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800–171 Rev 2.

DoD partners are required “to provide adequate security for sensitive unclassified DoD information that is processed, stored, or transmitted on contractor information systems and to document their implementation status”, and the CMMC enables the Pentagon to verify that these protections have been implemented and are maintained throughout the contract period.

The newly published rule is a revision of certain aspects of the program, in line with public feedback received after the initial CMMC program was published in September 2020.

According to the DoD, the revision allows the self-assessment of certain requirements, to simplify compliance, sets forth priorities for protecting DoD information, and reinforces cooperation between the department and industry.

The CMMC program requires a cybersecurity assessment at three levels, starting with the basic protection of FCI and going to general protection of CUI at level 2 and higher safeguarding against advanced persistent threats at level 3.

“DoD estimates overall program costs will be reduced by allowing for self-assessments for Level 1 and some Level 2 assessments and minimizing cost to industry for Level 3 assessments by having Government assessors from Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) conduct these assessments,” the department says.

Advertisement. Scroll to continue reading.

The Pentagon has opened CMMC for public comment for a 60-day period and is also requesting feedback on eight CMMC guidance documents and new information collections.

Related: CISA Seeks Public Opinion on Google Workspace Secure Configuration Baselines

Related: Over 12,000 Cyber Incidents at DoD Since 2015, But Incident Management Still Lacking

Related: US DoD Launches Vuln Disclosure Program for Contractor Networks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


US National Cybersecurity Strategy pushes regulation, aggressive 'hack-back' operations.


Web scraping is a sensitive issue. Should a third party be allowed to visit a website and use automated tools to gather and store...


Private equity giant plans to buy Forcepoint’s Global Governments and Critical Infrastructure (G2CI) business unit for $2.5 billion.