By C. Todd Lopez
WASHINGTON (Feb. 15, 2024) -- The Defense Department has released a detailed video that explains the nuances, complexities and importance of the recently published proposed rule for its Cybersecurity Maturity Model Certification program.
The video is designed to better inform members of the defense industrial base and other interested parties about the proposed rule for the CMMC program and to help those stakeholders better prepare their own comments and input that will be reviewed before the CMMC program proposed rule is finalized.
A 60-day public comment period on the proposed rule opened Dec. 26, 2023. The public comment period closes Feb. 26 at 11:59 p.m. Comments received during the public comment period will be reviewed and will inform the final rule.
The Cybersecurity Maturity Model Certification program gives the Defense Department a mechanism to verify the readiness of defense contractors both large and small to handle controlled unclassified information and federal contract information in accordance with federal regulations.
A big part of this program is the use of authorized CMMC "third-party assessment organizations," or C3PAOs, to conduct CMMC Level 2 certification assessments for companies seeking that assessment level. CMMC Level 3 assessments will be conducted by the Department.
The C3PAOs are not paid by the department but will instead be paid by defense industrial base companies seeking verification of compliance. The department does, however, play a role in setting the requirements for the C3PAOs.
Gurpreet Bhatia, the DOD Chief Information Officer's principal director for cybersecurity, said that the CMMC program will play an important role in helping keep important DOD information within the department and out of the hands of adversaries.
"Exfiltration from defense contractors is a problem that threatens our economic and national security," Bhatia said. "Malicious cyber actors continue to target defense contractors. Attacks focus both on large prime contractors and smaller subcontractors in lower tiers. Although DOD has had contract requirements that intended to address this for several years, the defense industrial base has been slow to implement."
The CMMC program, Bhatia said, is designed to better help defense contractors be compliant with regulations related to cyber security and to also help the DOD keep track of who is and isn't compliant.
"We're committed to implementing the CMMC Program," Bhatia said. "The added emphasis it will bring to protecting DOD's information is important."
Bhatia also said that he hopes the defense industry and other stakeholders will take the opportunity to provide comment on the DOD's proposed CMMC rule so that their input can be considered when drafting the final rule.
"It's important that we receive comments that clearly articulate your perspective so that the department can address those key concerns in the final rule," he said. "We must work together to enhance cybersecurity and protect DOD information from exfiltration."
