US civilian federal agencies to impose CMMC-like rules on contractors

By Matt Malarkey | Date published: 17 April 2023

The Department of Defense is working with civilian government departments to impose a new Federal Acquisition Regulation (FAR) rule that requires contractors supporting these agencies to meet new cybersecurity requirements, along the lines of the DoD’s Cybersecurity Maturity Model Certification (CMMC) program. Plans for greater alignment were shared by the chief of defense industrial base cybersecurity at the Office of the DoD CIO, Stacy Bostjanick, at a virtual event early this month.

At present, contractors handling sensitive information are required to meet 15 basic cybersecurity requirements to keep data secure. However, to better protect sensitive federal information, these plans would see civilian contractors that handle sensitive government information meet basic cybersecurity standards, such as NIST 800-171. It is not yet clear whether federal civilian contractors will have third-party assessment requirements – as can be the case with CMMC, or whether they will be able to use self-assessments to attest to compliance.

Changes to the CMMC program were announced in 2021

In November 2021, following a review of the existing CMMC framework by the DoD, CMMC Version 2.0 was announced. The aim of this change was to streamline the model – from five levels down to three – and align CMMC with widely accepted standards, such as NIST.

As well as allowing self-assessments for organizations with Level 1 requirements, CMMC 2.0 introduced the ability for companies, under certain limited circumstances, to make Plans of Action & Milestones (PoAMs) if not all requirements are met.

Those with Level 2 requirements are to be either able to self-assess or need third-party audits, depending on the nature of the contract and information handled. While Level 3 contractors will require triennial government-led assessments.

Final rulemaking for CMMC requirements is still underway, with further announcements to be made later this year.

Contractor compliance preparations should now be underway

While Bostjanick acknowledged that many contractors have fears that CMMC accreditation will be a resource burden and costly to attain, she implored those that are hesitant to begin preparations for compliance standards now, commenting: “It’s coming across of all federal government — you might as well get out in front of it and be one of the first.”

Utilizing compliance audits and assurance automation tools is one way that contractors are choosing to prepare for CMMC accreditation. Find out more about how Nipper can accelerate the compliance process with risk remediation advice and exact technical fixes for misconfigurations.

Matt Malarkey


Related Media

Aug 02

CMMC changes – Don’t wait for the new rules to be implemented, start working on your NIST 800-171 compliance today

Read more

Dec 02

NIST 800-171 vs CMMC 2.0: DoD supply chain requirements

Read more

Nov 25

CMMC 2.0 is announced – what does this mean for contractors?

Read more

Jun 02

How can collaboration support Supply Chain Risk Management?

Read more

In Association With