The CMMC (Cybersecurity Maturity Model Certification) proposed rule is a new regulation put forth by the Department of Defense (DoD) aimed at strengthening the cybersecurity of the Defense Industrial Base (DIB).
Key points of the proposed rule:
- Three levels of certification:
- Level 1: Focuses on basic cyber hygiene for contractors handling Federal Contract Information (FCI).
- Level 2: Requires more advanced security measures for contractors handling Controlled Unclassified Information (CUI).
- Level 3: The most stringent level, requiring expert assessment for contractors handling CUI on critical programs.
- Self-assessments and third-party assessments:
- Level 1 allows for self-assessments.
- Level 2 offers a choice between self-assessment and third-party assessment.
- Level 3 mandates third-party assessment by DoD assessors.
- Increased accountability:
- Requires annual affirmations from senior company officials at all levels.
- Focus on prioritized programs:
- Initially, the rule will apply to contracts for the most critical programs.
Additional information:
- The proposed rule was published in the Federal Register on December 26, 2023.
- The comment period ended on February 24, 2024.
- The final rule is expected to be published later in 2024.
- CMMC 2.0 is designed to be more flexible and scalable than the original CMMC framework.
- The proposed rule has received mixed reactions from the DIB, with some praising its flexibility and others expressing concerns about its complexity and cost.
Resources:
- Federal Register: https://www.federalregister.gov/documents/2023/12/26/2023-27280/cybersecurity-maturity-model-certification-cmmc-program
- DoD CMMC website: [invalid URL removed]