On December 26, 2023, the U.S. Department of Defense (DoD) published the much anticipated proposed rule for the revamped Cybersecurity Maturity Model Certification (CMMC) 2.0 Program.

Following growing concerns within DoD that contractors were not consistently implementing the cybersecurity requirements of DFARS 252.204-2012, DoD responded with the creation of the CMMC Program in 2019 to move away from a “self-attestation” model of security. The CMMC Program’s purpose is for contractors and subcontractors to demonstrate that Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) being processed, stored, or transmitted is adequately safeguarded. CMMC builds from existing cybersecurity requirements by requiring that contractors and subcontractors undergo Self-Assessments, Third-Party Assessments, or Government Assessments, as required, to ensure that mandated information protection requirements have been implemented. Continue Reading Happy New Year From DoD – The Proposed CMMC Rule Is Here

On October 3, 2023, the FAR Council released two proposed rules for federal contractor cybersecurity requirements that relate to cyber threat and incident reporting and information sharing (case 2021-017) and standardizing cybersecurity requirements for unclassified federal information systems (case 2021-019). Both proposed rules not only provide new requirements for federal contractors to follow but also provide new definitions and contract provisions for information and contract technology and federal information systems contracts. Continue Reading New Proposed Cybersecurity Rules Mean Big Changes for Federal Contractors

On November 4, 2021, the Department of Defense (DOD) announced it is revamping the Cybersecurity Maturity Model Certification program. The changes are intended to make the program more streamlined and flexible, which, in turn, will make it easier (and cheaper) for contractors to implement. Details of the revised program are limited, but some of the highlights include:

  • Fewer Levels: CMMC 2.0 will have only three levels of certification rather than five, and they will align more closely with existing cybersecurity standards. For example, Level 2 will align with NIST SP 800-171, the standard that applies when contractors handle controlled unclassified information.

Continue Reading DOD Announces CMMC 2.0; Cancels Rollout of CMMC 1.0