Seal
of
the
Pentagon
on
display
at
the
Pentagon
visitor
center.
(Photo
by
Trevor
Raney
Digital
Media
Division)
WASHINGTON
—
The
final
rule
for
the
long-awaited
Cybersecurity
Maturity
Model
Certification
(CMMC)
2.0,
which
sets
new
standards
for
contractors
who
handle
controlled
unclassified
information
(CIU),
was
released
today
for
public
inspection
and
will
hit
the
federal
register
on
Oct.
15.
Starting
in
2025,
the
Department
of
Defense
will
begin
to
implement
its
requirement
that
all
defense
contractors
be
CMMC
compliant
at
the
time
a
contract
is
awarded.
However,
in
order
to
avoid
a
scramble
to
meet
the
new
regulations
with
little
notice,
those
requirements
will
become
mandatory
after
a
three-year
phase-in
period.
“The
DoD’s
follow-on
Defense
Federal
Acquisition
Regulation
Supplement
(DFARS)
rule
change
to
contractually
implement
the
CMMC
Program
will
be
published
in
early
to
mid-2025,”
a
DoD
press
release
said.
The
main
change
from
CMMC
1.0
to
2.0
is
that
CMMC
1.0
had
a
five-level
scale
for
compliance,
while
CMMC
2.0
has
a
three-level
scale.
Additionally,
a
third-party
assessment
is
being
introduced
depending
on
the
level
of
CUI
a
contractor
handles.
Contractors
at
Level
1,
who
handle
“basic”
protection
of
CUI
and
some
contractors
at
Level
2
who
handle
“general”
CUI
protection
can
undergo
self-assessments
to
ensure
they
are
CMMC
compliant.
The
remaining
contractors
who
classify
as
Level
2
and
all
Level
3
contractors
have
to
undergo
a
third-party
assessment.
Additionally,
the
new
rule
also
“clearly
identifies”
all
24
security
controls
from
NIST
SP
800-172
requirements
mandated
for
CMMC
Level
3
certification.
A
recent
study
reported
by
Breaking
Defense
showed
that
there
was
a
notable
discrepancy
between
companies
who
completed
self-assessments
and
those
who
obtained
third-party
assessments:
only
4
percent
of
respondents
were
actually
CMMC
compliant
based
on
third-party
assessments,
but
75
percent
thought
they
were
based
on
self-assessments.
Furthermore, today’s
release
confirmed
that
contractors
have
to
adhere
to
controls
set
by
the
National
Institute
of
Standards
and
Technology
(NIST)
Special
Publication
(SP)
800-171.
“CMMC
provides
the
tools
to
hold
accountable
entities
or
individuals
that
put
U.S.
information
or
systems
at
risk
by
knowingly
misrepresenting
their
cybersecurity
practices
or
protocols,
or
knowingly
violating
obligations
to
monitor
and
report
cybersecurity
incidents
and
breaches,”
the
press
release
stated.
The
CMMC
program
“implements
an
annual
affirmation
requirement
that
is
a
key
element
for
monitoring
and
enforcing
accountability
of
a
company’s
cybersecurity
status.”
Officials
have
been
teasing
CMMC
2.0
since
November
2019
as
an
updated
version
of
CMMC
1.0.
The
new
model
was
designed
to
reduce
complexity
by
eliminating
unique
processes
and
security
practices
that
industry
sees
as
redundant
and
costly,
David
McKeown,
Deputy
Chief
Information
Officer
for
Cybersecurity
and
Senior
Information
Security
Officer
at
the
Department
of
Defense.
said
back
in
June.