On July 12, 2022, Diz Locaria was quoted inLaw360on government contracting policies to watch in the second half of 2022, including the U.S. Department of Defense’s (DOD) pending cybersecurity program.
According to the article, the Cybersecurity Maturity Model Certification (CMMC) program is a sweeping effort that will eventually attach minimum cybersecurity requirements to all defense contracts, rated from Level 1 for basic cybersecurity requirements to Level 3 for advanced, more proactive requirements. It will require more than 200,000 defense contractors, subcontractors, and suppliers to assess and certify their cybersecurity programs.
A final rule had initially been expected earlier on, but after more than a year of buildup around an initial version of CMMC, with contractors making business plans and models along the way, the DOD "pulled the rug out from everybody," Locaria said, relaunching CMMC in November 2021 as a simplified "2.0" draft version, more in line with existing cybersecurity standards.
Ahead of a final rule implementing CMMC 2.0, there are still a number of open questions to be answered, such as when and how contractors should seek certification from third-party assessors, and the degree of reciprocity that will be granted for systems already approved under other federal security programs, such as the Federal Risk and Authorization Management Program, used for cloud services.
"We'll hear what [CMMC] 2.0 looks like hopefully later this year," Locaria said. "They've been, at least to my understanding, tight-lipped in terms of what the thought process is for 2.0."
Click here to access the article.