DOD Unveils New Contractor Rules for CMMC 2.0

The Department of Defense has revamped the Cybersecurity Maturity Model Certification program, with a focus on simplifying contractor requirements and minimizing barriers to compliance.

In its updated guidance issued Thursday, the DOD announced that the number of CMMC maturity levels has been reduced from five to three.

Contractors seeking foundational compliance under level 1 of CMMC 2.0 will have to implement 10 cybersecurity practices. Levels 2 and 3 require companies to implement at least 110 practices aligned with the National Institute of Standards and Technology Special Publication 800-171, National Defense Magazine reported Thursday.

Level 1 foundational compliance can now be achieved through annual self-assessments. The majority of contractors under level 2 will have to undergo triannual third-party assessments but some will be cleared to conduct self-assessments. Notably, the new top-level compliance strictly requires triannual government-led assessments.

CMMC 2.0 will also allow for waivers to cybersecurity requirements “under certain limited circumstances” for “selection mission-critical requirements.”

The new contractor requirements will be formalized after the completion of the rulemaking process for the Code of Federal Regulations and the Defense Federal Acquisition Regulation Supplement.

The DOD settled on the new rules following an internal review of the program. Top officials such as Mieke Eoyang, deputy assistant secretary of defense for cyber policy, and David McKeown, deputy chief information officer for cybersecurity, participated in the assessment.

CMMC Accreditation Body CEO Matthew Travis welcomed the changes made to the cybersecurity program, saying it delivered on what the internal review set out to accomplish, including reducing the cost burden and improving scalability.

Sign Up Now! Potomac Officers Club provides you with Daily Updates and News Briefings about Cybersecurity

Join Us Now