Governance, Risk and Compliance, Government Regulations

Pentagon shares new cybersecurity rules for government contractors

An aerial view of the Pentagon.

The U.S. Department of Defense introduced new cybersecurity requirements for companies that contract with the federal government.

The Pentagon said that its new rules, dubbed Cybersecurity Maturity Model Certification (CMMC), will aim to simplify the process of getting certified to do government contract work while also assuring the DOD that a company is up to snuff with its security.

“The purpose of CMMC is to verify that defense contractors are compliant with existing protections for federal contract information (FCI) and controlled unclassified information (CUI) and are protecting that information at a level commensurate with the risk from cybersecurity threats, including advanced persistent threats,” the DOD said in announcing public review of the rules.

“This rule streamlines and simplifies the process for small-and medium-sized businesses by reducing the number of assessment levels from the five in the original program to three under the new program.”

Under the new rules, companies would be able to complete the first two levels of the requirements via self-assessment tools (though the second level can also be passed with the help of a third-party security provider). The third level of the assessment process will still need to be performed by a Defense Industrial Base Cybersecurity Assessment Center.

The hope is that the simplified process will broaden the range of companies that will consider applying for DOD contracts, particularly those that are not large providers.

“CMMC provides the tools to hold accountable entities or individuals that put U.S. information or systems at risk by knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches,” the DOD explained.

“The CMMC Program implements an annual affirmation requirement that is a key element for monitoring and enforcing accountability of a company's cybersecurity status.”

While the rules will only apply to companies working with the DOD, the Pentagon’s deep pockets and enormous clout with the business world will mean that many of the companies complying with the new rules will also likely be applying some or all of the standards they use for government work to their private-sector business offerings and practices.

Shaun Nichols

A career IT news journalist, Shaun has spent 17 years covering the industry with a specialty in the cybersecurity field.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds