As the threat from foreign actors is only set to increase in cyberspace, the Pentagon has looked to require that data used by third parties remains secured.

To that end, the United States Department of Defense (DoD) is set to publish the final program rule for the Cybersecurity Maturity Model Certification (CMMC) Program on Tuesday. CMMC was introduced to verify that defense contractors maintain compliance with existing protection for federal contraction information (FCI), while also ensuring that controlled unclassified information (CUI) is secure at a level commensurate with the risk from cybersecurity threat.

CMMC was meant to address cybersecurity deficiencies in the defense industrial base and to secure the supply chain, while it was also developed to be semi-automated and more importantly, cost-effective so that small businesses could still achieve at least a level-one certification within the program.

“This final rule aligns the program with the cybersecurity requirements described in Federal Acquisition Regulation part 52.204-21 and National Institute of Standards and Technology (NIST) Special Publications (SP) 800-171 Rev 2 and -172.  It also clearly identifies the 24 NIST SP 800-172 requirements mandated for CMMC Level 3 certification,” the DoD noted.

The latest CMMC rules were also meant to simplify the process for small- and medium-sized businesses by streamlining the assessment levels. This included reducing the total number from the original five that were present when CMMC was first introduced to three under the latest revision.

“The implementation of the CMMC certification program is a positive step forward especially for small to medium-sized businesses engaged with the DoD,” explained Jim Routh, chief trust officer at cybersecurity company Saviynt.

“The CMMC assessment process has been streamlined specifically for the SMB market to participate, which needs to demonstrate a higher level of resilience to do business with the DoD,” Routh told ClearanceJobs.

Self Assessment

Under the updated 32 CFR rule, the Pentagon will allow contractors to self-assess their compliance in some cases. While basic protection of FCI will require self-assessment at CMMC Level 1, the general protection of CUI will require either third-party assessment or self-assessment at CMMC Level 2.

“A higher level of protection against risk from advanced persistent threats will be required for some CUI,” the DoD added. “This enhanced protection will require a Defense Industrial Base Cybersecurity Assessment Center led assessment at CMMC Level 3.”

The Pentagon had estimated that the overall program costs would be reduced by allowing for self-assessments for Level 1 and some Level 2 assessments, while further minimizing cost to industry for Level 3 assessments by having Government assessors from the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) conduct these assessments.

As previously reported, over the three-year rollout, the number of contractors that handle sensitive data could increase to 35%, and those companies will need to obtain the “level two” CMMC third-party certification.

Plans of Action and Milestones

With the publication of the final program rule, the DoD introduced its “Plans of Action and Milestones” (POA&Ms), which will be granted for specific requirements as outlined in the rule to allow a business to obtain conditional certification for 180 days while working to meet the NIST standards.

According to the Defense Department, the benefits of CMMC include:

  • Safeguarding sensitive information to enable and protect the warfighter
  • Enforcing DIB cybersecurity standards to meet evolving threats
  • Ensuring accountability while minimizing barriers to compliance with DoD requirements
  • Perpetuating a collaborative culture of cybersecurity and cyber resilience
  • Maintaining public trust through high professional and ethical standards

The Pentagon acknowledged the significant time and resources that will be required for the industry to comply with its cybersecurity requirements but stressed that it is necessary for safeguarding CUI.

Related News

Peter Suciu is a freelance writer who covers business technology and cyber security. He currently lives in Michigan and can be reached at petersuciu@gmail.com. You can follow him on Twitter: @PeterSuciu.