CYBER
NDIA POLICY POINTS: The Costs and Scope of CMMC 2.0
1/26/2024
By Rachel A. McCaffrey and Michael Seeds
While yet to be fully implemented, the Defense Department first proposed the Cybersecurity Maturity Model Certification program in 2019, and the concept seems simple.
CMMC will ensure defense contractors comply with their contractual obligations to protect controlled unclassified information, or CUI, by requiring companies to hire third-party assessors to certify compliance, moving away from the “self-attestation” model.
However, nothing is ever as simple as it seems, and since the CMMC framework was first announced in 2019, “uncertainty” is a word that has been closely associated with the program.
The Defense Department released a proposed rule to implement the second iteration of CMMC, dubbed CMMC 2.0, on Dec. 26. The rule makes several changes, including reducing the number of compliance levels from five to three, aligning Level 2 compliance with National Institute of Standards and Technology Special Publication 800-171, and aligning Level 3 compliance with NIST SP 800-171 and 800-172.
https://www.nationaldefensemagazine.org/articles/2024/1/26/ndia-policy-points-the-costs-and-scope-of-cmmc-20