The US Department of Defense this week published a proposed rule and requested public feedback for the Cybersecurity Maturity Model Certification program.
The CMMC program is meant to establish an assessment mechanism to verify that defense contractors and subcontractors have implemented the security measures required to protect federal contract information and controlled unclassified information.
The DoD currently demands that contractors and subcontractors implement the security protections detailed in the National Institute of Standards and Technology Special Publication 800-171 Rev 2.
The newly published rule is a revision of certain aspects of the program, in line with public feedback received after the initial CMMC program was published in September 2020.
According to the DoD, the revision allows the self-assessment of certain requirements, to simplify compliance, sets forth priorities for protecting DoD information, and reinforces cooperation between the department and industry.
The CMMC program requires a cybersecurity assessment at three levels, starting with the basic protection of FCI and going to general protection of CUI at level 2 and higher safeguarding against advanced persistent threats at level 3.
The Pentagon has opened CMMC for public comment for a 60-day period and is also requesting feedback on eight CMMC guidance documents and new information collections.
This Cyber News was published on www.securityweek.com. Publication date: Fri, 29 Dec 2023 13:13:05 +0000