Department of Defense Announces New Cybersecurity Maturity Model Certification Rule
U.S. military contractors are set to face stringent new cybersecurity requirements, following the Department of Defense’s (DoD) official introduction of a mandatory controls framework to be implemented over the next three years. This initiative stems from a desire to secure sensitive information that, while not classified, is still critical to national security.
The urgency for a unified cybersecurity standard was first acknowledged by the DoD in 2019, when concern grew regarding the security practices of over 300,000 contractors. Recent executive orders affirm the DoD’s enhanced authority in managing cybersecurity levels. The finalized Cybersecurity Maturity Model Certification (CMMC) rule, released on September 10, is a response to industry criticism that prior proposals were too complex and potentially exclusionary for smaller firms.
The rule introduces a phased implementation approach, commencing on November 10, which incorporates three tiers of cybersecurity levels. Contractors dealing with “federal contract information” can validate their compliance through self-attestations. In contrast, those handling “controlled unclassified information” will need assessments from certified third-party organizations to confirm adherence to required cybersecurity measures.
In its first year, the DoD will demand self-attestation from contractors bidding for contracts, with plans to implement third-party certification requirements in the second year. By the third year, solicitations may necessitate certification from the Defense Industrial Base Cybersecurity Assessment Center, marking a significant step in standardizing cybersecurity protocols across the defense landscape.
This gradual rollout aims to facilitate a smoother transition for contractors, allowing time for compliance and training while addressing the operational challenges these requirements might impose. Notably, the reduction of CMMC levels from five to three has been well-received as a measure to alleviate the complexity associated with earlier frameworks.
Katie Arrington, who is acting as the Pentagon’s Chief Information Officer, emphasized the expectation that contractors prioritize U.S. national security. Industry insiders, such as Stacy Bostjanick, deputy CIO for cybersecurity within the defense sector, have underscored the persistent risks posed by cybercriminal activities like ransomware and cyber espionage. The aim is to fortify what has been described as the “soft underbelly” of defense operations.
Experts in the cybersecurity field, including Frank Balonis, CISO at Kiteworks, warn that many defense contractors currently lack formal governance structures, with a significant portion falling short on vital security benchmarks essential for CMMC compliance. The implications of this shortfall could hinder their ability to secure critical contracts and navigate the evolving regulatory landscape.
The phased implementation is expected to impact a broad array of contractors, compelling them to reevaluate their operational practices in light of these new regulations. As Amy Fuentes, an attorney at Holland & Knight, notes, organizations will need to adapt to meet certification standards, a transition that will require careful planning and resources.
