The U.S. Department of Defense has unveiled a pivotal proposed rule for the Cybersecurity Maturity Model Certification (CMMC) program, aimed at streamlining compliance and fortifying safeguards for sensitive data against cyber threats. This long-awaited rule introduces a tiered security framework tailored for contractors and subcontractors handling sensitive unclassified information.
The tiers span three levels, with Level 1 encompassing fundamental security measures and Level 3 mandating the most advanced protocols. Contractors falling within CMMC levels 2 and 3 will undergo third-party compliance evaluations. Moreover, these contractors must attain specific CMMC levels to vie for particular contract awards, as outlined in the draft. This initiative, labeled “CMMC 2.0,” was initially outlined by the Defense Department back in November 2021.
The extensive 200-page draft delineates precise security requisites corresponding to each tier, with Level 1 contractors tasked with implementing 15 security measures stipulated in the Federal Acquisition Regulation. As the tiers progress, the requirements become more rigorous. For instance, Level 2 contractors must adhere to 110 security measures from NIST SP 800-171, in addition to fulfilling Level 1 criteria. Meanwhile, Level 3 contractors must comply with Level 1 and Level 2 prerequisites, alongside 24 supplementary security measures from NIST SP 800-172.
The Pentagon plans to evaluate Level 3 security adherence and grants contractors 180 days post-assessment to devise and execute action plans to fulfill any unmet security requirements. While Level 1 contractors handle federal contracting information, Level 2 and 3 contractors manage controlled unclassified information. All CMMC contractors must report their security assessments to the Defense Department, although Levels 1 and 2 are permitted to conduct self-assessments.
By delegating self-assessments to the initial tiers of contractors, the Pentagon anticipates cost savings, reserving resources from the Defense Industrial Base Cybersecurity Assessment Center for the final tier’s evaluations. This proposed rule marks a pivotal step in fortifying cybersecurity measures within the defense industrial base while promoting greater transparency and accountability among contractors.
