NOTE: The Alaska PTAC has been renamed as Alaska APEX Accelerator. This change occurred on September 15, 2023. Learn why.
The Defense Department is significantly scaling back a program it rolled out last year to validate the cybersecurity of its suppliers through third-party audits and is halting its implementation until the changes are official.
The program was supposed to be implemented over a five-year period with the ultimate goal of requiring every defense contractor in possession of certain controlled but unclassified information to obtain a certificate from a third-party assessor indicating their adherence to the Cybersecurity Maturity Model Certification standard. A number of programs within DOD were selected to pilot the program this year. Now, the Pentagon says it is looking to streamline the program—into CMMC 2.0—and make it more collaborative with industry in two new rulemakings through the Code of Federal Regulations.
“Until the CMMC 2.0 changes become effective through both the title 32 CFR and title 48 CFR rulemaking processes, the department will suspend the CMMC piloting efforts, and will not approve inclusion of a CMMC requirement in DoD solicitations,” reads a notice set to publish Friday in the Federal Register. “The CMMC 2.0 program requirements will not be mandatory until the title 32 CFR rulemaking is complete, and the CMMC program requirements have been implemented as needed into acquisition regulation through title 48 rulemaking.”
At the heart of CMMC was an assertion by Pentagon officials that the current system of allowing defense contractors to self-attest, or simply pledge, their adherence to cybersecurity standards outlined by the National Institute of Standards and Technology is not working. The officials pointed to continued theft of intellectual property by Chinese nation-state actors as their chief indicator. CMMC established five levels of cybersecurity for contractors to meet depending on the criticality of the data they would be working with.
According to the notice, CMMC 2.0 would remove levels two and four, reducing the model to three levels. All level one contractors would be allowed to self attest to their cybersecurity. The notice said the second level of contractors—previously level three—would be “bifurcated” into priority and non-priority acquisitions with the former also being able to avoid an independent third-party assessment. Rules for the third and highest level—previously level five—are yet to be determined.