ARTICLE
15 November 2021

Updates Announced To Department Of Defense Cybersecurity Certification Program

SM
Sheppard Mullin Richter & Hampton

Contributor

Sheppard Mullin Richter & Hampton logo
Sheppard Mullin is a full service Global 100 firm with over 1,000 attorneys in 16 offices located in the United States, Europe and Asia. Since 1927, companies have turned to Sheppard Mullin to handle corporate and technology matters, high stakes litigation and complex financial transactions. In the US, the firm’s clients include more than half of the Fortune 100.
Explore
The Department of Defense (DOD) recently announced several changes to its Cybersecurity Maturity Model Certification program.
United States Technology
Photo of Townsend L. Bourne
Photo of Nikole Snyder
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

The Department of Defense (DOD) recently announced several changes to its Cybersecurity Maturity Model Certification program. The program applies to those who serve as contractors and suppliers to the DOD. As described in our sister blog, the new version of the program - "CMMC 2.0" - has several important differences from the original program. CMMC 2.0 is anticipated to go into effect anywhere from nine to 24 months from now.

Key differences include:

  • Restructuring the program to allocate information systems into three levels (rather than five) depending on the type of information companies maintain within those systems. Depending on level, companies need to provide different levels of security for the information they handle.
  • Allowing Level 1 companies to self-assess (rather than having assessment and certification by a third-party). Also allowing self-assessment for certain acquisitions at Level 2.
  • Aligning the required practices with National Institute of Standards & Technology (NIST) cybersecurity standards.
  • Increasing oversight of third-party assessors.
  • Allowing companies who have not yet met compliance requirements to remediate under strict timelines. Also includes waivers in limited circumstances.

The new program aligns with current regulations regarding protection of Controlled Unclassified Information (CUI). These regulations already require NIST SP 800-171 as the minimum level of security for CUI. They also require a self-assessment or DOD assessment against the NIST SP 800-171 controls and an associated report to DOD.

Putting it into Practice: Companies who contract with the DOD (or are part of the DOD supply chain) will want to review their cybersecurity program and update their compliance plans to ensure that they are working towards the new streamlined CMMC 2.0.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

We operate a free-to-view policy, asking only that you register in order to read all of our content. Please login or register to view the rest of this article.

Authors
Photo of Townsend L. Bourne
Townsend L. Bourne
Photo of Nikole Snyder
Nikole Snyder
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More