By C. Todd Lopez
WASHINGTON (Oct. 17, 2024) -- The Defense Department on Friday released for public inspection the final cybersecurity maturity model certification program rule. The rule includes changes which make it simpler for private sector companies to comply with the cybersecurity requirements which must be in place before they can bid on defense contracts.
The department's cybersecurity maturity model certification program, also called CMMC, ensures that private sector companies doing work for the Defense Department as part of the defense industrial base demonstrate that their computer networks and cybersecurity practices are up to the task of defending against intrusions by adversaries who may want access to information about government contracts and weapons systems development.
According to defense officials, the defense industrial base in the United States is the target of recurrent and progressively sophisticated cyberattacks, targeting the controlled unclassified information and federal contract information which is processed, stored or transmitted on nonfederal unclassified information systems. Those attacks threaten both the department mission and national security.
A big change in the new CMMC rule, which is included in Title 32 of the Code of Federal Regulations -- a section dedicated to national defense -- is a simplification of the assessment levels that were previously within the CMMC program. The new rule reduces the number of levels from five to just three.
"The decrease from five levels to three levels is part of the streamlining effort that we did as we went from the original program to the one that we just released," said Buddy Dees, director of the CMMC program management office.
The CMMC program asks private sector companies who do business with or hope to do business with the department to demonstrate compliance with cybersecurity requirements described in both the Federal Acquisition Regulation and publications from the National Institute of Standards and Technology.
Previously, the DOD's CMMC program included five levels of compliance, where levels two and four were designed specifically to help companies make transitions between the other levels.
"As part of the streamlining, we got rid of the transition levels," said Dees.
Now, Dees said, there are only three levels of compliance.
Within CMMC, he said, level one compliance asks contractors to self-assess their ability to provide basic protection of federal contract information. At level two, which deals with general protection of controlled unclassified information, companies will either self-assess or seek assessment by a CMMC third-party assessment organization depending on the nature of the information they will be expected to process.
For level three, the highest level, compliance requires companies to demonstrate an ability to protect higher levels of controlled unclassified information. Certification at this level must be completed with an assessment by DOD's own Defense Industrial Base Cybersecurity Assessment Center.
The CMMC has also been simplified in other ways to make it easier for private companies to demonstrate cybersecurity compliance and become eligible to contribute to national security, Dees said.
Under the original program, for instance, Dees said the department wasn't just interested in if companies in the defense industrial base met cybersecurity requirements. It was also interested in the processes used by defense industrial base companies to achieve compliance and if those processes were repeatable.
"When we went from the original to the current CMMC, we decided to get eliminate the assessment of that process piece, and we're strictly going to focus on assessing the cybersecurity requirements," he said.
An additional set of requirements were also removed from CMMC which DOD had put in place but were not aligned with the cybersecurity standards outlined by NIST.
"We [had] also included twenty cybersecurity requirements that were not previously required under NIST," Dees said. "When we went from the transition [CMMC] to the new one ... the decision was we're going to align ourselves directly with the NIST cybersecurity standards. And so, we got rid of those twenty ... 'CMMC-unique requirements.' We deleted them as part of that move from the original program to the revised program."
Development of CMMC has been underway, in various forms, for more than five years. Original plans for implementing CMMC, however, proved cumbersome and caused concern within the defense industrial base, especially within medium-sized and small companies which might not have the resources of larger, more established defense contractors.
"There was indication from small and medium businesses that it was going to be very difficult for them to achieve this," said Stacy Bostjanick, chief of defense industrial base cybersecurity.
With feedback from the business community a decision was made to look at how the CMMC, as originally planned, could be made simpler and less expensive for businesses, while still ensuring national security, she said.
"The new administration ... made the determination that we needed to relook the program and ensure that we were doing what it intended to do and [we were] not being overly arduous and onerous on the DIB community," Bostjanick said. "We wanted to ensure that we continued to have the support and participation of the industrial base."
The government, she said, put a "strategic pause" on the CMMC that had been developed, so that it could be re-evaluated.
The new CMMC is expected to be better accepted by the defense industrial base, while at the same time it ensures national security, she said.
"CMMC will protect our intellectual property and our innovation," she said. "We continuously have our data taken by advanced persistent threats. We have contractors that get targeted by malicious actors trying to extort money from them over the retention of their data, and that puts our men and women in service on the battlefield at risk, because they are impeding our ability to ensure that they have the best and highest capability weapons in their hands."
Through CMMC, Bostjanick said, the department will ensure that weapons systems developed by the defense industrial base, in partnership with the Defense Department, will stay in the hands of America's warfighters and allies only -- and not end up in the hands of adversaries.
The CMMC 32 Code of Federal Regulations final rule, about 450 pages long, describes the CMMC program in detail. Now that the rule has been made public, it awaits approval by Congress, a process that will take 60 days.
Additionally, the CMMC 48 Code of Federal Regulations proposed rule, DFARS Clause 252.204-7021, completed public comment on Oct. 15. This rule must also be finalized and approved by Congress before the department can insert CMMC compliance requirements into defense contracts. It's expected this won't happen until early to mid-2025. Ω