- New cybersecurity framework will soon come into effect
- The CMMC will see more complicated rules for potential vendors
- This is the second iteration of these regulations
A new set of requirements has just been published for potential Department of Defense vendors. The new Cybersecurity Maturity Model Certification 2.0 (CMMC) standards outline stringent compliance demands for any potential contractors for the DoD, which will officially come into effect November 10 2025.
“We expect our vendors to put U.S. national security at the top of their priority list,” Katie Arrington, acting Pentagon chief information officer, said in a statement. “By complying with cyber standards and achieving CMMC, this shows our vendors are doing exactly that.”
The new cybersecurity framework operates on three different levels of compliance dependent on the sensitivity of the data being handled. Vendors will not be eligible for DoD contracts if they do not meet the requirements.
A second try
Implementing the CMMC was a difficult and lengthy process, and the cybersecurity pushed back against the requirements during the first Trump administration, arguing that the rules are overcomplicated and that SMEs are overly burdened by the regulations.
In the second version of these requirements, the process of compliance has been simplified, with just three assessment levels down from five. Vendors can self-assess their cybersecurity at the lowest sensitivity level, but tier two must be verified by a certified third-party assessor, and tier three will require assessment from the Defense Industrial Base Cybersecurity Assessment Center.
The new requirements also set out ‘plans of action and milestones’ that will help contractors that don’t meet the regulations by allowing them 180 days of a conditional certification as they work to become compliant.
Earlier this year, the US Department of Defense was urged to address serious IT systems flaws after programs were found to be falling short of required performance standards – with four critical defense systems identified without “developed plans to implement a more rigorous cybersecurity approach—zero trust architecture—by the 2027 deadline”.
Add Comment