US civilian federal agencies to impose CMMC-like rules on contractors
By Matt Malarkey | Date published: 17 April 2023
The Department of Defense is working with civilian government departments to impose a new Federal Acquisition Regulation (FAR) rule that requires contractors supporting these agencies to meet new cybersecurity requirements, along the lines of the DoD’s Cybersecurity Maturity Model Certification (CMMC) program. Plans for greater alignment were shared by the chief of defense industrial base cybersecurity at the Office of the DoD CIO, Stacy Bostjanick, at a virtual event early this month.
At present, contractors handling sensitive information are required to meet 15 basic cybersecurity requirements to keep data secure. However, to better protect sensitive federal information, these plans would see civilian contractors that handle sensitive government information meet basic cybersecurity standards, such as NIST 800-171. It is not yet clear whether federal civilian contractors will have third-party assessment requirements – as can be the case with CMMC, or whether they will be able to use self-assessments to attest to compliance.
Changes to the CMMC program were announced in 2021
In November 2021, following a review of the existing CMMC framework by the DoD, CMMC Version 2.0 was announced. The aim of this change was to streamline the model – from five levels down to three – and align CMMC with widely accepted standards, such as NIST.
As well as allowing self-assessments for organizations with Level 1 requirements, CMMC 2.0 introduced the ability for companies, under certain limited circumstances, to make Plans of Action & Milestones (PoAMs) if not all requirements are met.
Those with Level 2 requirements are to be either able to self-assess or need third-party audits, depending on the nature of the contract and information handled. While Level 3 contractors will require triennial government-led assessments.
Final rulemaking for CMMC requirements is still underway, with further announcements to be made later this year.
Contractor compliance preparations should now be underway
While Bostjanick acknowledged that many contractors have fears that CMMC accreditation will be a resource burden and costly to attain, she implored those that are hesitant to begin preparations for compliance standards now, commenting: “It’s coming across of all federal government — you might as well get out in front of it and be one of the first.”
Utilizing compliance audits and assurance automation tools is one way that contractors are choosing to prepare for CMMC accreditation. Find out more about how Nipper can accelerate the compliance process with risk remediation advice and exact technical fixes for misconfigurations.
Matt Malarkey
US National Cybersecurity Strategy: All roads lead to disclosure
Cybersecurity commitment is no longer voluntary, Matt Malarkey recently outlined the US National Cybersecurity Strategy in a podcast with The Cyber Express. Listen here.
Recent Posts
- Less than one year until the current PCI DSS standard is retired. How prepared are you for PCI DSS v4.0?
- Titania Report Reveals Less Than 40% of Senior Cybersecurity Decision Makers Effectively Prioritize Risks to Payment Card Industry Data Security Standard (PCI DSS) 4.0 Compliance
- New SEC Rules for Public Companies Reporting Cybersecurity Incidents to be Finalized in April
- Log4j vulnerability: The threat persists one year on
Related Media
Aug 02
CMMC changes – Don’t wait for the new rules to be implemented, start working on your NIST 800-171 compliance today
In Association With
