DOD Eyes Stronger Security Measures for Federal Contract Information

The Department of Defense’s Office of the Chief Information Officer has proposed a rule for the Cybersecurity Maturity Model Certification program that would require defense contractors and subcontractors to apply existing security measures to federal contract information.

The rule would also set new controlled unclassified information security requirements for some priority programs, according to a notice posted in the Federal Register.

Comments on the DOD CIO’s proposed rule are due on Feb. 26, 2024.

The DOD requires contractors to implement measures detailed in the National Institute of Standards and Technology’s Special Publication 800-171 Revision 2 to protect its sensitive unclassified information on third-party systems.

In November, NIST released a draft of a third revision for SP 800-171 that would expand the controls to cover non-government CUI and limit system access for users assigned organizational tasks. The rule also requires organizations to periodically review privileges and revoke access when necessary.

NIST is accepting comments on the drafts until Jan. 26, 2024.