A major shift in cybersecurity requirements for Department of Defense (DoD) contractors is about to come into effect—earlier this month the DoD released for public comment the long-anticipated Version 0.4 of the draft Cybersecurity Maturity Model Certification (CMMC). This new framework to safeguarding controlled unclassified information (CUI), which includes a certification requirement by a third-party auditor, presents both significant opportunities and challenges for DoD contractors.

In an overview briefing on the new model, DoD emphasized that the new framework will impose a unified cybersecurity standard for all DoD acquisitions and, in so doing, “reduce exfiltration of [CUI] from the Defense Industrial base.” To achieve this goal, the new model significantly bolsters the existing compliance regime around cybersecurity—which currently, for the most part, requires compliance with the security standards set forth in NIST SP 800-171 through DFARS 252.204-7012.


Continue Reading