After a lengthy review process, the Department of Defense today issued an update to its Cybersecurity Maturity Model Certification (CMMC) program – dubbed CMMC 2.0 – that will simplify some of the cybersecurity requirements for contractors in the Defense Industrial Base (DIB) looking to do business with the government.
The new requirements reportedly focus on the most stringent cybersecurity standards and requirements on the contractors supporting the most high-priority programs and cut the number of CMMC maturity levels from five to three.
“CMMC 2.0 will dramatically strengthen the cybersecurity of the defense industrial base,” Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy, said in a press release. “By establishing a more collaborative relationship with industry, these updates will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DoD requirements.”
The program, designed to raise the level of cybersecurity practices among DIB contractors, has been under an internal review since late March, with contractors in the DIB worried about rising costs associated with compliance after DoD announced that it was introducing a rule that would make CMMC a part of all Pentagon contracts by fiscal year 2026. Industry groups recently called on the DoD to reaffirm its commitment to the program, and today’s announcement appears to fulfill those calls.
CMMC 2.0 looks to simplify some of that burden on contractors by decreasing the number of maturity levels, as well as making Level 1 “foundational” compliance attainable through annual self-assessments. The second level, called “advanced” compliance, bumps up the requirements significantly, going from 17 practices at level 1 to 110 cybersecurity practices aligned with the National Institute for Standards and Technology (NIST) special publication (SP) 800-171.
While some select programs will be available to achieve Level 2 compliance through self-assessments, the majority will need to complete triannual assessments from third-party assessment organizations for any contractor dealing with critical national security information. The new top-level of compliance will require contractors to implement more than 110 practices in line with NIST SP 800-172 and will be awarded through triannual government-led assessments.
Currently, DoD has suspended any CMMC pilots or the inclusion of CMMC requirements in any DoD solicitations while it continues through the rulemaking process. The DoD said companies will only be required to comply once the new rules go into effect.