Cyber

Pentagon releases proposed rule on cybersecurity standards for contractors

The DOD released the proposed rule for the highly anticipated CMMC program.

December 22, 2023

River entrance of the U.S. Department of Defense. (Getty Images)

At long last, the Department of Defense has released its proposed rule on cybersecurity standards for contractors.

Following several years of development, the DOD in late 2021 shifted gears and unveiled the Cybersecurity Maturity Model Certification 2.0, which includes enhancements to the initial program first developed during the Trump administration. After reforming the program, the Pentagon has been working on a final rule that will mandate contractors that work with the department’s controlled unclassified information be CMMC certified, or risk losing their business.

The CMMC program is based upon a tiered cybersecurity framework that sets requirements for companies based on the level of security necessary for their work. The initiative was conceived to protect contractor information from being exploited by adversaries. Officials in years past have attributed $600 billion in annual losses to cyber thefts from adversaries.

An unpublished version of the proposed rule appeared on the Federal Register Dec. 22 — a few days before its official publication on Dec. 26.

The public comment period is 60 days from publication date.

The program is not without controversy, as some contractor advocates in the past have argued the program will be expensive, onerous — particularly for small businesses and non-traditional contractors — and confusing to keep up with.

CMMC 2.0 sought to simplify things with three key features:

The first is a tiered model that requires contractors to implement cybersecurity standards on a three-level scale based on the sensitivity of the information.
The second is an assessment requirement that allows DOD to verify implementation of the standards.
And the third is implementation through contracts. Once CMMC contracts are fully implemented, DOD contractors that handle sensitive information must achieve a particular CMMC level in order to win the prospective contract.

Updated on Dec. 28, 2023: This story has been updated to include a link to the proposed rule that was officially published Dec. 26.

Pentagon releases proposed rule on cybersecurity standards for contractors

More Like This

Navy announces new top cyber adviser

Air Force issues call for cyber, electromagnetic, sensing capabilities to support ABMS

Marine Corps deploys cyber personnel to Pacific for enduring defense mission

Top Stories

Air Force plans industry roundtables on effective uses, adoption of generative AI

US to give Israel $1.2B for Iron Beam laser weapon

After Iran’s strikes on Israel, Juniper Oak exercises seen as a ‘harbinger’

General Atomics adding AESA radar and software to upgraded Gray Eagles

Navy to unveil new ‘structured piloting’ framework for IT modernization

Army rethinks its approach to AI-enabled risks via Project Linchpin

More Scoops

DOD launching fully operational vulnerability disclosure program for defense industrial base

New DOD strategy aims to improve contractors’ cybersecurity, resiliency

With CMMC looming, military services explore ways to extend secure environments to small businesses

Pentagon reveals updated cost estimates for CMMC implementation

Proposed rule would allow DOD program managers to request waivers for CMMC requirements

CMMC final rulemaking process kicks off with submission to OMB for review

Pentagon issues rule to ban TikTok on all DOD-connected devices, including for contractors

Latest Podcasts

How the Navy is reducing workforce friction to improve mission outcomes

How DARPA is looking to AI to fend off cyber vulnerabilities through a challenge program

How the DOD protects national security interests by monitoring climate change

Google’s Scott Frohman Talks AI Innovation at Google Cloud Next

Weapons

Cyber

IT

AI