On 26 December 2023, the DoD published their most recent update to the programme, CMMC 2.0, designed to enhance existing mechanisms utilised by defence contractors and subcontractors in handling federal contract information (FCI) or controlled unclassified information (CUI) during DoD contracts.
The Cybersecurity Maturity Model Certification (CMMC) programme, introduced by the United States Department of Defense (DoD), is a crucial initiative aimed at bolstering cyber security within the DoD contracting community.
Background
The CMMC programme was designed as a tool to verify the secure exchange of sensitive and unclassified information between DoD and its contractors and subcontractors. This programme plays a vital role in ensuring that contractors and subcontractors comply with cyber security requirements applicable to the procurement of programmes and systems handling CUIs. The CMMC originated from an Executive Order (E.O.) aiming to establish a standardised system for managing unclassified information with safeguarding or dissemination controls. However, initial reports highlighted restrictions on information sharing and system inefficiencies, leading to the creation of the CUI program under the E.O. to standardize information handling in the executive branch.
In 2019, the DoD announced the transition from the 'self-attestation' security model, officially introducing the CMMC 1.0 programme in September 2020, with subsequent refinements in the CMMC 2.0 update in 2021.
What does the CMMC 2.0 proposed rule mean?
The DoD's proposed changes will look to simplify aspects of the CMMC programme by further streamlining processes and adding flexibility to the system. The current programme now allows for:
- Simplified compliance by allowing self-assessment for some requirements.
- Priorities for protecting DoD information.
- Reinforced cooperation between the DoD and industry in addressing evolving cyber threats
The proposed rule will seek to codify CMMC 2.0, and will replace the five maturity levels from CMMC 1.0 with three ‘CMMC Levels':
Level 1: Basic safeguarding of FCI.
Level 2: General protection of CUI.
Level 3: High Level of protection against risk from advanced persistent threats.
Self-assessments will be conducted for Levels 1 and 2, while Level 3 assessments will involve government assessors to alleviate the burden on industry.
Opportunities for industry input
The DoD is actively seeking feedback on the CMMC proposed rule, with a deadline for submission set for 26 February 2024. Additionally, feedback is request on eight CMMC guidance documents and new information collections.
Industry is encouraged to stay informed about the CMMC programme and actively participate in the feedback process. More details about the CMMC programme can be found here.
Find out more
If you'd like to learn more about the new US cyber security regulations and their impact on UK companies, techUK is holding a briefing on 7 March (14.00 to 15.30). You can register to attend this (in person or online) here.