It’s about to get a lot harder for private companies that are lax on cybersecurity to get a contract with the Pentagon, as the Defense Department has finalized a rule requiring contractor compliance with its Cybersecurity Maturity Model Certification (CMMC) program.
The final rule, which was released as a preview ahead of its formal publication in the Federal Register on Wednesday, will go into effect on November 9. After that point, all vendors who contract with the DoD (known as the defense industrial base (DIB)) will need to meet one of three levels of CMMC compliance, depending on the sensitivity of unclassified information they handle, in order to be eligible for award consideration once the rule is phased in.
CMMC requirements include limiting access to sensitive data, authenticating users with access, imposing physical security rules for facilities where US government data is stored, installing regular software updates, and reporting/remediating any incidents promptly. Meeting Level 1 of CMMC requires an annual self-assessment and attestation. Level 2 may allow a self-assessment in rare cases, but most contracts will require a third-party audit. Level 3 demands a government-led assessment.
“We expect our vendors to put U.S. national security at the top of their priority list,” said acting DoD Chief Information Officer Katherine “Katie” Arrington. “By complying with cyber standards and achieving CMMC, this shows our vendors are doing exactly that.”
Arrington, who is performing the duties of DoD CIO without Senate confirmation after rejoining the department earlier this year (possibly due to the fact that her DoD security clearance was suspended over concerns of disclosure of classified data in 2021), was instrumental in helping the DoD develop the CMMC during Trump’s first term.
Vendors seeking contracts with the Pentagon under CMMC have to demonstrate clear evidence that they have conformed to cybersecurity standards set forth in the program, which was made official in October of last year. CMMC only applies to contractors working with information about federal contracts and controlled unclassified information. Classified data and the software systems that handle it are subject to different rules, though that’s not to say those rules are always followed.
Vendors objected to many of the requirements imposed on them through the CMMC, leading to the development of a revised [PDF] version. It’s that version that was made official last year, and that version that contractors will need to comply with under the rule previewed on Tuesday.
In addition to putting the compliance onus on contractors, the new rule requires DoD contracting officers to specify the applicable CMMC level in solicitations and ensure awards only go to vendors with a current assessment or certification. The Pentagon didn’t respond to questions for this story. ®