The Department of Defense (DoD) has now finalized its new cybersecurity standards, which we discussed last year. The new cybersecurity standards, which are intended to protect controlled unclassified information, will be implemented by the Cyber Maturity Model Certification program (CMMC), which was finalized last week after multiple draft iterations. CMMC Version 1.0 is available here.
CMMC Will Require Third-Party Certification of Cybersecurity Maturity Level
Among other changes from the prior cybersecurity compliance regime, this new approach will require that to be eligible for DoD awards, contractors must be certified by a third-party commercial certification organization to have achieved one of five cybersecurity maturity levels, with higher levels representing more advanced cybersecurity. Later this year, DoD solicitations will contain the applicable CMMC requirement, and contractors failing to meet this standard will be unable to bid. The requirements will apply to all parties within the supply chain (although subcontractors may not have to meet as high a CMMC standard as the prime contractor, depending on their scope of work).