DOD drops draft of CMMC rule governing cyber in acquisition
The Pentagon published a draft of its CMMC rule, which is expected to appear in the Federal Register on Tuesday, 15 October. The Cybersecurity Maturity Model Certification (CMMC) program strengthens DOD cybersecurity and that of its industrial base. Contractors should prioritize early compliance by adopting NIST SP 800-171 and SP 800-172 standards, conducting self-assessments, and working with certified assessors. Implementing thorough system security plans, continuous monitoring, and addressing any non-compliance promptly will be crucial to maintaining eligibility for defense contracts.
Contractors should begin preparing for CMMC certification now by:
- Reviewing CMMC Requirements: Understand the level of certification required based on the type of information handled.
- Conducting Internal Audits: Evaluate current cybersecurity measures and identify gaps using the NIST SP 800-171 standards.
- Engaging with Certified Assessors: Reach out to C3PAOs for early assessments and work on remediation strategies.
- Ensuring Subcontractor Compliance: Ensure that all subcontractors handling sensitive information are also prepared for CMMC compliance.
The phased rollout allows time for preparation, but the risks of non-compliance—loss of contracts, penalties, and reputational damage—make it imperative for contractors to act promptly.
We will follow the rule-making process here on the Horizon.