The Department of Defense (DOD) lately announced a number of modifications to its Cybersecurity Maturity Mannequin Certification program. This system applies to those that function contractors and suppliers to the DOD. As described in our sister weblog, the brand new model of this system – “CMMC 2.0” – has a number of essential variations from the unique program. CMMC 2.0 is anticipated to go into impact wherever from 9 to 24 months from now.
Key variations embrace:
Restructuring this system to allocate data methods into three ranges (somewhat than 5) relying on the sort of data firms keep inside these methods. Relying on degree, firms want to present totally different ranges of safety for the knowledge they deal with.
Permitting Degree 1 firms to self-assess (somewhat than having evaluation and certification by a third-party). Additionally permitting self-assessment for sure acquisitions at Degree 2.
Aligning the required practices with Nationwide Institute of Requirements & Expertise (NIST) cybersecurity requirements.
Rising oversight of third-party assessors.
Permitting firms who haven’t but met compliance necessities to remediate below strict timelines. Additionally contains waivers in restricted circumstances.
The brand new program aligns with present laws relating to safety of Managed Unclassified Data (CUI). These laws already require NIST SP 800-171 because the minimal degree of safety for CUI. In addition they require a self-assessment or DOD evaluation towards the NIST SP 800-171 controls and an related report to DOD.
Placing it into Apply: Corporations who contract with the DOD (or are half of the DOD provide chain) will need to assessment their cybersecurity program and replace their compliance plans to be certain that they’re working in direction of the brand new streamlined CMMC 2.0.