Member Portal

GovSuccess

HomeBlog & Alerts Policy and RegulationsCybersecurity Maturity Model Certification (CMMC) Program 2.0 Proposed Rule Published

Cybersecurity Maturity Model Certification (CMMC) Program 2.0 Proposed Rule Published

Cybersecurity Maturity Model Certification (CMMC) Program 2.0 Proposed Rule Published

In a significant development for government contractors and cybersecurity enthusiasts, the Department of Defense (DoD) has recently published a proposed rule for the Cybersecurity Maturity Model Certification (CMMC) Program 2.0. This announcement marks a crucial step in strengthening cybersecurity measures within the defense industrial base.

The original CMMC program, introduced as CMMC 1.0, was designed to secure defense contractors’ information systems against increasing cyber threats. However, it faced challenges, leading to a reevaluation and the birth of CMMC 2.0. This new iteration aims to address previous concerns while bolstering cybersecurity in a more streamlined and efficient manner.

What is CMMC 2.0?

CMMC 2.0 is a refined version of the original program, focusing on simplifying compliance and fostering a more collaborative approach to cyber threat management. The proposed rule highlights three key areas of improvement:

  1. Simplified Compliance: CMMC 2.0 allows for self-assessment in certain cases, reducing the compliance burden on contractors and speeding up the certification process.
  2. Prioritization of DoD Information Protection: The program emphasizes the need to safeguard critical defense information, ensuring that the highest standards are maintained for sensitive data.
  3. Enhanced Collaboration: Recognizing the dynamic nature of cyber threats, CMMC 2.0 encourages a more cooperative approach between the DoD and its contractors, fostering a unified front against cyber adversaries.

The Three Levels of Assessment

The revised program introduces three levels of cybersecurity assessment:

  • CMMC Level 1: Focused on basic safeguarding of Federal Contract Information (FCI).
  • CMMC Level 2: Aimed at general protection of Controlled Unclassified Information (CUI).
  • CMMC Level 3: Designed to offer advanced protection against sophisticated cyber threats.

These levels are structured to provide a scalable approach to cybersecurity, aligning with the varying needs and capabilities of defense contractors.

Aligning with NIST Standards

In alignment with the National Institute of Standards and Technology (NIST) Special Publications 800-171 and 800-172, CMMC 2.0 ensures that its requirements are consistent with recognized cybersecurity standards. This alignment not only streamlines compliance efforts but also contributes to a unified national cybersecurity framework.

Public Comment and Future Steps

The proposed rule is currently open for a 60-day public comment period, inviting feedback from industry experts, contractors, and other stakeholders. This input will be crucial in refining the program before its final implementation.

Moreover, a follow-on Defense Federal Acquisition Regulation Supplement (DFARS) rule for CMMC will be introduced in 2024, further integrating CMMC requirements into the broader regulatory landscape.

In closing, the publication of the CMMC 2.0 proposed rule is a significant milestone in the evolution of cybersecurity standards for defense contractors. By addressing previous challenges and aligning with established standards, CMMC 2.0 promises to enhance the security and resilience of the defense supply chain. As we await further developments, it’s clear that cybersecurity remains a top priority for the DoD and its partners.

Disclaimer:

We Do Contracts, Inc. is not a law firm. Nothing on this website is legal advice and no attorney-client relationship is formed by purchasing or viewing information or templates. If you have a specific problem and need legal advice, contact a licensed attorney.

Protected by Copyscape

Newsletter

  • This field is for validation purposes and should be left unchanged.
Scroll Back to Top