DoD simplifies cybersecurity rules for government contractors
On October 15th, the Department of Defense (DoD) published the final Cybersecurity Maturity Model Certification (CMMC) rule for public review. CMMC requires that contractors demonstrate that their computer networks and cybersecurity policies are sufficient to prevent intrusions from foreign adversaries searching for information on weapons system development and manufacturing. The new rule includes significant changes that make it easier for private sector companies to comply with the cybersecurity requirements prior to bidding on defense contracts.
The big change in the new rule is the reduction of assessment levels – down from five to three – in a streamlining of the regulation. The CMMC program requires contractors who wish to do business with the DoD to comply with cybersecurity requirements as outlined in the Federal Acquisition Regulation (FAR) and the National Institute of Standards and Technology (NIST). The previous rule included two levels that were designed to assist companies in making transitions between levels. The latest rule removes the transition levels.
The new rule is now structured in three levels:
- Level One – self-assessment of a contractor’s ability to provide basic protection of federal contract information
- Level Two – assessment of controlled unclassified information (either a self-assessment or conducted by a third-party consultant)
- Level Three – assessment of protection of higher level controlled unclassified information conducted by the DoD Defense Industrial Base Cybersecurity Assessment Center
The new streamlined rule is designed to assist small-to-medium sized businesses who were discouraged in seeking out defense contracting opportunities because the CMMC requirements were too cumbersome. The new design aims to make the process less expensive while still taking detailed steps to ensure national security.
For more information about CMMC, visit the DoD's About CMMC page. The CMMC 32 CFR 170 Final Rule can be found in the Federal Register :: Cybersecurity Maturity Model Certification (CMMC) Program.