DOD Seeks Changes to CMMC Model

The Department of Defense plans to introduce changes to the foundation of the Cybersecurity Maturity Model Certification after receiving industry feedback from contractors and trade groups on the CMMC Defense Federal Acquisition Regulation System rule.

DOD spokeswoman Jessica Maxwell said the modifications are necessary to address evolving national security threats, noting that the department is committed to evaluating the best standards to combat such threats. 

While the DOD has yet to announce the specific changes it will be making, it is believed that the tweaks will apply to the highest level of the five-tier CMMC model, FedScoop reported. 

Concerns raised within the 60-day comment period of the DFAR rule include the need for clear guidance on the reciprocity between the CMMC controls and other federal information technology compliance programs. 

The DOD also received concerns about tightened regulations that might border on being counterproductive.

In its comment, the Information Technology Industry Council said that while it is important to push for the necessary cybersecurity protocols, the DOD should guard against actions and regulations that do not add security and impede the industry’s ability to innovate.

Among other things, ITI called for clear guidance informing how subcontractors will be handled with flow-down requirements.

The announcement of the CMMC model tweaks comes after the publication of new protective guidance from the National Institute of Standards and Technology. SP 800-172, which was published in light of the SolarWinds Orion hack, offers security controls to help agencies improve data confidentiality. 

Speaking with InsideCybersecurity, Stacy Bostjanick, the acting director of supply risk management at the DOD, said the department intends to synchronize CMMC levels four and five with the new NIST guidance.