DeftechtimesUSA

New Cybersecurity Rules Released for Defense Contractors by DOD

By Rajlaxmi Deshmukh
50
New Cybersecurity Rules Released for Defense Contractors by U.S DOD

More from Author

Rajlaxmi Deshmukh
Rajlaxmi Deshmukh

DoD Unveils Final Cybersecurity Rule for Contractors

The Department of Defense (DoD) has introduced an important new rule for defense contractors under its Cybersecurity Maturity Model Certification (CMMC) Program. This updated rule, released today for public inspection, will be officially published on October 15. The goal of the CMMC Program is to ensure that businesses working with the federal government, especially defense contractors, have the right cybersecurity protections in place. These protections aim to keep federal contract information (FCI) and controlled unclassified information (CUI) safe from cyber threats.

This new rule changes the program to make it simpler for small- and medium-sized businesses while ensuring they comply with necessary security standards. It is also aligned with existing federal cybersecurity requirements.

Streamlined Cybersecurity Certification Process

One of the biggest changes in the new rule is the reduction of certification levels. In the previous version of the CMMC Program, there were five levels of certification. Now, there are only three. This simplification is meant to make it easier for companies, especially smaller ones, to understand and meet their cybersecurity requirements.

Each level represents the level of protection needed, based on the type of information handled:

– First Level: Basic protection of federal contract information.
– Second Level : General protection of controlled unclassified information (CUI).
– Third Level : Enhanced protection against advanced persistent threats, required for certain types of CUI.

Cybersecurity Compliance Linked to Contracts

Defense contractors must achieve the appropriate CMMC level to win new government contracts. This means that businesses must assess their current security practices and prepare for CMMC assessments. Contractors will need to show that they are compliant before they can be awarded contracts involving sensitive government information.

The CMMC program holds businesses accountable by making sure they follow cybersecurity standards. If a company fails to meet these standards or misrepresents its cybersecurity measures, it could face penalties. The new rule also implements an annual requirement for businesses to confirm their cybersecurity status.

Self-Assessments and Third-Party Reviews

The new CMMC rule makes it easier for companies to assess their compliance themselves, but only when appropriate. For CMMC Level 1, businesses can perform a self-assessment. This level involves basic protection of FCI, which is less sensitive than CUI. For Level 2, companies may either self-assess or undergo a third-party assessment, depending on the sensitivity of the information they handle. For Level 3, which involves higher risks, companies will need a Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) review. By allowing self-assessments in some cases, the DoD hopes to reduce the burden on smaller businesses while still ensuring they meet cybersecurity standards.

 Aligning with Federal Cybersecurity Requirements

The final CMMC rule is designed to align with existing federal cybersecurity standards. This includes regulations in the Federal Acquisition Regulation (FAR) and the cybersecurity requirements outlined by the National Institute of Standards and Technology (NIST).

Businesses must meet the standards set in NIST Special Publications 800-171 Rev 2 and 800-172 to achieve the appropriate CMMC level. The new rule clearly identifies the 24 requirements from NIST 800-172 that are needed for CMMC Level 3 certification, which provides the highest level of protection.

Conditional Certifications and Action Plans

To help businesses achieve certification, the DoD has introduced Plans of Action and Milestones (POA&Ms). These action plans allow companies to receive a conditional certification for 180 days. During this time, businesses can work on meeting certain cybersecurity requirements while still being able to participate in the defense supply chain. However, companies must fully comply within the 180-day period to maintain certification.

Protecting the Warfighter and Critical Information

The CMMC Program is crucial for protecting sensitive information that supports the U.S. warfighter. By ensuring that contractors follow strict cybersecurity standards, the DoD can better protect defense information from cyberattacks, including those from advanced persistent threats, which are highly skilled and well-funded hackers.

The CMMC Program also aims to create a collaborative culture of cybersecurity across the defense industrial base (DIB). By working together, businesses and the government can improve cybersecurity, safeguard critical information, and build stronger defenses against evolving cyber threats.

Support for Small Businesses

The DoD recognizes that complying with cybersecurity requirements can be challenging, especially for small- and medium-sized businesses. That’s why the CMMC Program has been adjusted to make it easier for these companies to meet the standards while still maintaining strong protections for federal information.

Businesses can use cloud services to help meet the required cybersecurity standards. The DoD’s Cybersecurity-as-a-Service (CSaaS) program offers tools and resources for companies to improve their cybersecurity efforts. More information about these services is available through the DoD CIO DIB Cybersecurity Program.

CMMC Requirements Coming to Contracts in 2025

The DoD plans to introduce the CMMC requirements into defense contracts in early to mid-2025. The upcoming Defense Federal Acquisition Regulation Supplement (DFARS) rule will officially implement the CMMC Program. Once the rule is published and goes into effect, defense contractors will need to achieve the appropriate CMMC level as a condition for contract awards. This rule will apply to any contractor who processes, stores, or transmits FCI or CUI as part of their work with the federal government.

 A Collaborative Effort

The development of the CMMC Program has been a collaborative effort between the DoD, defense contractors, and industry associations. Throughout the public comment period, businesses and industry groups provided valuable input that helped shape the final rule. The DoD has thanked the industry for its cooperation and input, which has been key to achieving the program’s goals of improving cybersecurity while reducing compliance burdens for businesses.

Time for Action

Defense contractors should act now to evaluate their cybersecurity practices and prepare for CMMC assessments. By taking steps to comply with the CMMC requirements, companies can protect critical government information and ensure their eligibility for future defense contracts.

To read original news visit DOD Website 

Previous article
Gulf States Block Their Airspace for Israel to Prevent War with Iran
Next article
Amanda Dory Strengthens Ties with Germany, UK, and Norway in Key Visits

Trending on Deftechtimes

DeftechTimes is your go-to news portal for the latest updates on geopolitics, defense, and technology. Stay informed with in-depth analysis, breaking news, and expert insights on global security issues, military advancements, and cutting-edge technological developments shaping the world.

Editor Picks

Latest News

Popular Categories

© All Rights Reserved with Deftech Times