The U.S. Department of Defense (DoD) has finalised the latest version of the Cybersecurity Maturity Model Certification (CMMC) program, aimed at tightening cybersecurity standards for defence contractors. Contractors must pass CMMC assessments to bid on DoD contracts. The program ensures compliance with regulations like the Federal Acquisition Regulation (FAR) and the National Institute of Standards and Technology (NIST) Special Publications 800-171 and 800-172, which govern the protection of federal contract information (FCI) and controlled unclassified information (CUI).

The CMMC program is evolving from self-attestation toward a stricter framework that now includes accountability mechanisms for contractors misrepresenting cybersecurity practices. A key feature is the annual affirmation requirement, which helps monitor and enforce the cybersecurity posture of companies. The program, originally introduced in 2020 with five levels, has been streamlined to three levels in CMMC 2.0 to simplify compliance for small and medium businesses. The rule also introduces Plans of Action and Milestones (POA&Ms), granting conditional certification for up to 180 days to companies working toward full compliance.

Defence contractors must meet different levels of cybersecurity based on their handling of FCI or CUI, with level 1 allowing self-assessment, level 2 requiring third-party or self-assessment, and level 3 mandating advanced protection verified by the Defense Industrial Base Cybersecurity Assessment Center.

Source and further reading.

Coker, J. (2024, October 14). US DOD tightens cybersecurity standards for defense contractors. Infosecurity Magazine. https://www.infosecurity-magazine.com/news/dod-cybersecurity-standards