Governance & Risk Management , Government , Industry Specific

New CMMC Rule Offers Tiered Security Levels for Contractors

Defense Department Proposes New Security Requirements for Defense Industrial Base
New CMMC Rule Offers Tiered Security Levels for Contractors
The U.S. Department of Defense released a draft rule for CMMC on Dec. 26, 2023. (Image: Shutterstock)

The U.S. Department of Defense released a draft of a long-awaited proposed rule for the Cybersecurity Maturity Model Certification program that aims to simplify compliance, enhance public-private coordination and better protect sensitive information from cyberthreats.

See Also: OnDemand | How To Meet Your Zero Trust Goals Through Advanced Endpoint Strategies

The proposed rule, designed to establish a security framework for the defense industrial base, introduces a tiered security model for contractors and subcontractors who manage sensitive unclassified information. The tiers are categorized into three levels. Level 1 represents the most basic security measures and Level 3 requires the most advanced ones.

Contractors categorized at CMMC levels 2 and 3 would need to perform third-party compliance assessments. Contractors would also be required to achieve certain CMMC levels in order to compete for certain contract awards, according to the draft.

The Tuesday release of the draft begins a 60-day comment period. The Defense Department initially announced its plans for "CMMC 2.0" in November 2021.

The more than 200-page draft lays out specific security requirements for contractors under each tiered level and tasks Level 1 contractors with implementing 15 security measures contained in the Federal Acquisition Regulation. The requirements become more advanced at each tier. Level 2 contractors would be required to implement 110 security measures outlined in NIST SP 800-171, in addition to meeting the Level 1 requirements. Level 3 contractors would be tasked with meeting the Level 1 and Level 2 requirements, in addition to implementing 24 additional security measures outlined in NIST SP 800-172.

The Pentagon would assess Level 3 security compliance, the rule says, and contractors would be granted 180 days after an assessment to develop and complete plans of action for security requirements they failed to meet.

Under the proposed rule, Level 1 contractors would be allowed to maintain federal contracting information, while Level 2 and Level 3 contractors would be able to maintain certain controlled unclassified information. All CMMC contractors would be required to report their security assessments to Defense, but Level 1 and Level 2 contractors would be allowed to conduct self-assessments.

The Pentagon expects it will save money by allowing the first two tiers of contractors to do their own assessments, reserving personnel from the Defense Industrial Base Cybersecurity Assessment Center for the final tier.


About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.asia, you agree to our use of cookies.