Dept. of Defense announces version 2.0 of cybersecurity maturity model certification program
On November 4, the Department of Defense (DoD) announced the completion of an internal assessment of its Cybersecurity Maturity Model Certification (CMMC) program and enhancements to that program. While CMMC 2.0 remains focused on safeguarding sensitive national security information, it updates CMMC 1.0 (see DoD guidance here) by streamlining compliance rules, strengthening cyber protection standards for companies operating in the defense industrial base, and encouraging a collaborative culture of cybersecurity and cyber resilience. “By establishing a more collaborative relationship with industry, these updates will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DoD requirements,” Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy, stated. Among other things, CMMC 2.0: (i) simplifies CMMC standards and provides further clarity on cybersecurity regulatory, policy, and contracting requirements; (ii) focuses the most advanced cybersecurity standards and third-party assessment requirements on companies that support the highest priority programs; and (iii) “increase[es] DoD oversight of professional and ethical standards in the assessment ecosystem.” Changes reflected in CMMC 2.0 will be implemented through future rulemaking, and companies are not required to comply with CMMC requirements until the forthcoming rules take effect. DoD will also suspend a current CMMC pilot program and “will not approve inclusion of a CMMC requirement in any DoD solicitation” during this period.