Standards, Regulations & Compliance
Pentagon Officially Implements Long-Awaited Cybersecurity Requirements for Vendors
New cybersecurity certification standards for defense contractors and their subcontractors officially took effect Monday, concluding years of deliberation over compliance costs, audit oversight, and supply chain accountability.
Related Read: Mastercard on Agentic Payments: How AI Agents, Tokenization, and Authentication Will Redefine Digital Commerce
The newly established Cybersecurity Maturity Model Certification (CMMC) regulation revises federal defense acquisition guidelines to incorporate CMMC requirements across all new contracts, option years, and extensions. This rule requires prime contractors to validate that their subcontractors achieve the necessary certification level. Initial enforcement will focus on Level 1, with gradual escalation through 2028, though prompter enhancements may occur based on program needs.
Experts have noted that this rule formalizes long-anticipated responsibilities while clarifying ambiguities surrounding enforcement applications to existing contracts and renewals. According to Thomas Graham, chair of the Cyber AB C3PAO Accreditation Committee, which operates as the Department of Defense’s accreditation body for the CMMC program, the final ruling alleviates previous uncertainties.
“One significant gap that remained uncertain before the rule was finalized is its applicability to option years and performance duration extensions on current contracts,” stated Graham, who additionally serves as CISO at Redspin. He advised contractors preparing for compliance to start by updating their Supplier Performance Risk System scores and engaging with contracting officers to identify the required CMMC level for their forthcoming contracts.
“Trust fundamentally underpins CMMC,” Graham emphasized. “While this program reinforces the Department of Defense’s confidence in its contractors, it also represents a collective commitment to fortifying national cybersecurity defenses.”
From the inaugural program year, contractors will be mandated to complete self-assessments as a prerequisite for new contract awards and certain exercised options. Companies managing more sensitive data will require certification from an accredited third-party assessment body starting in the second year, with further requirements extending into the third year as the defense industrial base cybersecurity assessment center begins to enforce validation mandates.
The Pentagon unveiled plans in 2019 for a unified cybersecurity standard applicable to information below the classification threshold, responding to concerns regarding the inconsistent safeguarding of data among its numerous contractors. The initiative aims to bridge persistent gaps in cybersecurity risk management within a supply chain comprising over 300,000 vendors.
The comprehensive final rule builds upon years of revisions, transitioning from a singular stringent requirement to a tiered framework aligned with guidance from the National Institute of Standards and Technology (NIST). This updated structure delineates varying levels of cybersecurity rigor based on the sensitivity of the information being handled, ranging from basic cyber hygiene to advanced, continuously monitored protections.
