Pentagon (DoD photo by Master Sgt. Ken Hammond, U.S. Air Force)


DOD revamps controversial CMMC program

The Department of Defense is revamping its cybersecurity compliance program for government contractors, after a nine-month internal review and complaints from vendors large and small over the cost and complexity of the requirements.

Cybersecurity Maturity Model Certification 2.0, announced Nov. 4, promises a new strategic direction for protecting federal contract information and controlled unclassified information that allows for more self-assessment, eliminates several tiers of compliance and reduces the role of third party assessment.

"CMMC 2.0 will dramatically strengthen the cybersecurity of the defense industrial base," Jesse Salazar, deputy assistant secretary of defense for industrial policy, said in a statement. "By establishing a more collaborative relationship with industry, these updates will support business in adoption the practices they need to thwart cyber threats while minimizing barriers to compliance with DOD requirements."

DOD will establish and implement new CMMC policies through the rulemaking process, including a period for public comment, according to a notice that was posted and then removed from the Federal Register on Nov. 4. That document states that CMMC pilots will be suspended until the CMMC 2.0 rule changes take effect, and that going forward CMMC requirements will not be included in DOD solicitations.

The move "raises the bar on security but reduces the compliance," said John Weiler, CEO of the IT-Acquisition Advisory Council and a frequent critic of the CMMC program.

The revamp of the CMMC program also appears to dovetail with a recent move by the Justice Department to launch the Civil Cyber-Fraud Initiative to target contractors that "put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches."

Weiler noted that companies that fraudulently self-assess could face false claims lawsuits from the DOJ's Civil Division.

Some details are still not available about the new program, in particular the status of the CMMC Accreditation Body, which has a contract to certify third-party assessment and training under the first iteration of the program.

Under CMMC 2.0, third party assessment will be focused "on companies supporting the highest priority programs," according to a one-page explainer released by DOD to announce the new direction of the program.

A version of this article appeared on FCW, a Defense Systems partner site. 

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.

Defense Systems Update

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.