Pentagon announces version 2.0 of its controversial CMMC program

CMMC 2.0 simplifies the process for SMBs, but critics say the verification process relies too much on self-attestation.

Last week, the Pentagon announced version 2.0 of its controversial and complex Cybersecurity Maturity Model Certification (CMMC). The CMMC is a training, certification and third-party assessment framework for defense industrial base (DIB) contractors. The goal of the CMMC is to provide cybersecurity requirements that DIB contractors must implement.

The Department of Defense (DoD) Introduced CMMC three years ago and adopted it in an interim format in September 2020. It was designed to replace the previous cybersecurity self-attestation of DIB contractors with third-party verification of compliance. An independent, tax-exempt organization, the CMMC Accreditation Body (CMMC-AB), was picked by the Pentagon to conduct the third-party verifications.

Number of security maturity levels cut from five to three

The first version of the CMMC spells out basic cybersecurity hygiene processes and practices in a complicated model framework of 17 domains mapped across five maturity levels: basic, intermediate, good, proactive, and advanced. CMCC 2.0 seeks to cut the “red tape for small and medium-sized businesses” by whittling down the need for accreditation and reducing the number of levels to three: Foundational, Advanced and Expert.

This article appeared in CSO Online. To read the rest of the article please visit here.