On December 26, 2023, the U.S. Department of Defense (DoD) published the much anticipated proposed rule for the revamped Cybersecurity Maturity Model Certification (CMMC) 2.0 Program.

Following growing concerns within DoD that contractors were not consistently implementing the cybersecurity requirements of DFARS 252.204-2012, DoD responded with the creation of the CMMC Program in 2019 to move away from a “self-attestation” model of security. The CMMC Program’s purpose is for contractors and subcontractors to demonstrate that Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) being processed, stored, or transmitted is adequately safeguarded. CMMC builds from existing cybersecurity requirements by requiring that contractors and subcontractors undergo Self-Assessments, Third-Party Assessments, or Government Assessments, as required, to ensure that mandated information protection requirements have been implemented. Continue Reading Happy New Year From DoD – The Proposed CMMC Rule Is Here

On November 4, 2021, the Department of Defense (DOD) announced it is revamping the Cybersecurity Maturity Model Certification program. The changes are intended to make the program more streamlined and flexible, which, in turn, will make it easier (and cheaper) for contractors to implement. Details of the revised program are limited, but some of the highlights include:

  • Fewer Levels: CMMC 2.0 will have only three levels of certification rather than five, and they will align more closely with existing cybersecurity standards. For example, Level 2 will align with NIST SP 800-171, the standard that applies when contractors handle controlled unclassified information.

Continue Reading DOD Announces CMMC 2.0; Cancels Rollout of CMMC 1.0