Finally, the Department of Defense has released proposed rules regarding cybersecurity standards for contractors.
After several years of development, the Department of Defense shifted gears in late 2021; Cybersecurity Maturity Model Certification 2.0This includes enhancements to an initial program first developed during the Trump administration. After reforming the program, the Department of Defense is working on a final rule that will require contractors that handle unclassified information managed by the Department to be CMMC certified. Otherwise, you risk losing business.
The CMMC program is based on a tiered cybersecurity framework that rates companies on a scale of 1 to 5 based on the classification and level of security required for their operations. This was originally conceived to protect contractor information from misuse by adversaries. For the past few years, officials have claimed that $600 billion in annual losses are due to cyber theft by adversaries.
The proposed rules are scheduled to be announced on December 26th. Unreleased version Available in the Federal Register.
The public comment period is 60 days from the date of publication.
The program is not without controversy, and some contractor advocates have said in the past that the program is expensive, cumbersome, especially for small businesses and nontraditional contractors, and that it is difficult to understand. Some people claimed that it was difficult to get there.
CMMC 2.0 aimed to simplify things with three key features:
- The first is a tiered model, which requires contractors to implement cybersecurity standards at scale based on the sensitivity of the information.
- The second is an evaluation requirement that allows the Department of Defense to verify implementation of the standards.
- And the third is implementation by contract. Once the CMMC contract is fully implemented, Department of Defense contractors working with classified information will be required to achieve certain CMMC levels in order to win future contracts.