by Vince Johnson
In 2019, the Department of Defense (DoD) announced efforts to develop a program that moved away from a “self-attestation” model of security. Named Cybersecurity Maturity Model Certification (CMMC), the program sought to provide requirements for a comprehensive and scalable assessment mechanism to ensure that defense contractors and subcontractors implement required security measures for protecting Federal Contract Information and newly established Controlled Unclassified Information.
CMMC initially sought to provide requirements “to ensure that defense contractors and subcontractors implement required security measures” for certain information.
On November 30, 2020, DoD put into effect an interim rule establishing a five-year phase-in period, with select pilot contracts chosen to comply. By March 2021, a DoD-led internal review of CMMC implementation, coupled with over 850 public comments on the interim rule, led to an overhaul of the CMMC process.
In November 2021, DoD introduced CMMC 2.0. It streamlines the model into three levels through focused critical requirements and alignment with the National Institute of Standards and Technology cybersecurity standards. The updated program focuses on reduced assessment costs, higher accountability, and greater contractor flexibility in achieving compliance.
CMMC 2.0 “streamlines the model into three levels” through focused critical requirements and alignment with NIST cybersecurity standards.
CMMC 2.0 will not be universally required until DoD completes the rulemaking process. Timelines vary, but DoD estimates it will take nine to 24 months. On December 26, 2023, CMMC 2.0 moved closer to this goal with the publication of a proposed rule for CMMC 2.0. In addition to this rule, DoD released eight CMMC guidance documents for public feedback by February 26, 2024.
With the rulemaking process edging toward completion, organizations must familiarize themselves with CMMC 2.0 program provisions now. To help prepare contractors, DoD has created Project Spectrum, which includes a Cyber Readiness Check for CMMC compliance with Level 1 and 2 requirements.
With the rulemaking process edging toward completion, organizations must familiarize themselves with CMMC 2.0 program provisions now.
As a professional services firm specializing in cybersecurity, Electrosoft has been tracking CMMC program evolution. We want to be ready to meet any CMMC 2.0 contractual requirements in new or existing contracts supporting our federal defense customers.
More information about CMMC can be found here.
REFERENCES
U.S. Department of Defense Office of Small Business Programs | Project Spectrum https://www.projectspectrum.io/#/
U.S. Department of Defense Chief Information Officer | About CMMC https://dodcio.defense.gov/CMMC/About/