Pentagon announces version 2.0 of its controversial CMMC program

CMMC 2.0 simplifies the process for SMBs, but critics say the verification process relies too much on self-attestation.

Last week, the Pentagon announced version 2.0 of its controversial and complex Cybersecurity Maturity Model Certification (CMMC). The CMMC is a training, certification and third-party assessment framework for defense industrial base (DIB) contractors. The goal of the CMMC is to provide cybersecurity requirements that DIB contractors must implement.

The Department of Defense (DoD) Introduced CMMC three years ago and adopted it in an interim format in September 2020. It was designed to replace the previous cybersecurity self-attestation of DIB contractors with third-party verification of compliance. An independent, tax-exempt organization, the CMMC Accreditation Body (CMMC-AB), was picked by the Pentagon to conduct the third-party verifications.

Number of security maturity levels cut from five to three

The first version of the CMMC spells out basic cybersecurity hygiene processes and practices in a complicated model framework of 17 domains mapped across five maturity levels: basic, intermediate, good, proactive, and advanced. CMCC 2.0 seeks to cut the “red tape for small and medium-sized businesses” by whittling down the need for accreditation and reducing the number of levels to three: Foundational, Advanced and Expert.

This article appeared in CSO Online. To read the rest of the article please visit here.


CMMC bakes security into DoD’s supply chain, has value…

lead centered=”no”
The Cybersecurity Maturity Model Certification provides a means for the Department of Defense to certify the security capabilities of its contractors, but it’s a good way to assess the cybersecurity maturity for all companies.

Just as the coronavirus pandemic was getting underway in January, the Department of Defense (DoD) launched an ambitious cybersecurity certification and compliance process called the Cybersecurity Maturity Model Certification (CMMC). This framework has five certification levels of maturity that are designed to ensure that the Pentagon’s 300,000 contractors can adequately protect sensitive information.

The CMMC embraces existing well-known federal cybersecurity frameworks including NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, and AIA NAS9933, as well as compliance procedures from the Federal Information Security Management Act (FISMA). One of the most significant changes for DoD contractors under the CMMC is the need to undergo external security audits.

“There were some simple things that our communities weren’t doing and we needed to find a way to make them repeatable, accountable and to provide metrics and make them auditable,” Katie Arrington, CISO for acquisition and sustainment, DoD, said at the 10th Annual Billington Cybersecurity Summit, which was held virtually this year. “So, we created this model with collaboration with industry and academia.”

The CMMC “is one piece of a massive cultural reform that’s been going in the department since 2018,” Arrington said, pointing to something called the Adaptive Acquisition Framework, a set of policies designed to introduce innovation into what has long been the sluggish thicket of the federal acquisition process. “It’s refreshing to see that acquisition is now understanding the new emerging capabilities and how we need to move through those.”

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by İsmail Enes Ayhan on Unsplash