The U.S. Department of Defense (DoD) this week published a proposed rule for the Cybersecurity Maturity Model Certification (CMMC) program, designed to keep defense contractors compliant with information protection requirements and the protection of sensitive data.
Applicable to both contractors and subcontractors, the rule focuses on both existing information protection requirements for federal contract information and controlled unclassified information, as well as the protection of sensitive unclassified information. Cybersecurity risks are becoming more and more pervasive as time goes by, and this rule would require cybersecurity assessment at three levels: basic safeguarding of FCI, general protection of CUI and higher levels of protection against risk from advanced persistent threats.
This rule was originally published in 2020, but since then, the DoD has streamlined its requirements. It’s simpler, for example, allowing self-assessment for some requirements now. It also laid out priorities for protecting DoD information and emphasized cooperation between the DoD and industry to address ongoing cyber threats. In particular, the allowance of self-assessment for level one and two assessments, combined with minimizing costs to industry for level three assessments through government assessors, are expected to cut overall program costs.
A comment period will be open for 60 days, concurrent with a comment period for eight CMMC guidance documents and information collections. In 2024, this will be followed with a comment period for the Defense Federal Acquisition Regulation Supplement (DFARS) rule.