“BREAKING DEFENSE” By Carley Welch
“CMMC 2.0 introduced a third-party assessment dependent on contractor’s CUI capacity. Starting in 2025, the Department of Defense will begin to implement its requirement that all defense contractors be CMMC compliant at the time a contract is awarded.”
_________________________________________________________________________________
“The final rule for the long-awaited Cybersecurity Maturity Model Certification (CMMC) 2.0, which sets new standards for contractors who handle controlled unclassified information (CIU), was released for public inspection and will hit the federal register on Oct. 15. In order to avoid a scramble to meet the new regulations with little notice, the requirements will become mandatory after a three-year phase-in period.
“The DoD’s follow-on Defense Federal Acquisition Regulation Supplement (DFARS) rule change to contractually implement the CMMC Program will be published in early to mid-2025,” a DoD press release said.
The main change from CMMC 1.0 to 2.0 is that CMMC 1.0 had a five-level scale for compliance, while CMMC 2.0 has a three-level scale. Additionally, a third-party assessment is being introduced depending on the level of CUI a contractor handles.
Contractors at Level 1, who handle “basic” protection of CUI and some contractors at Level 2 who handle “general” CUI protection can undergo self-assessments to ensure they are CMMC compliant. The remaining contractors who classify as Level 2 and all Level 3 contractors have to undergo a third-party assessment. Additionally, the new rule also “clearly identifies” all 24 security controls from NIST SP 800-172 requirements mandated for CMMC Level 3 certification.
A recent study reported by Breaking Defense showed that there was a notable discrepancy between companies who completed self-assessments and those who obtained third-party assessments: only 4 percent of respondents were actually CMMC compliant based on third-party assessments, but 75 percent thought they were based on self-assessments.
Furthermore, today’s release confirmed that contractors have to adhere to controls set by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.
“CMMC provides the tools to hold accountable entities or individuals that put U.S. information or systems at risk by knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches,” the press release stated. The CMMC program “implements an annual affirmation requirement that is a key element for monitoring and enforcing accountability of a company’s cybersecurity status.”
Officials have been teasing CMMC 2.0 since November 2019 as an updated version of CMMC 1.0. The new model was designed to reduce complexity by eliminating unique processes and security practices that industry sees as redundant and costly, David McKeown, Deputy Chief Information Officer for Cybersecurity and Senior Information Security Officer at the Department of Defense. said back in June. “
Comments