Cyber Protection: Defense Base Prepares for New CMMC Rules.

• Author: Roaten, Meredit

One year after the Pentagon announced its newest cybersecurity guidelines, industry is still figuring out how it will comply with new rules and operate in a new environment.

Cybersecurity Maturity Model Certification 2.0 recently entered the Defense Department's rulemaking process--the final step before it becomes an official requirement. Despite questions about industry's cybersecurity capabilities and the challenging documentation process, defense companies could be required to comply with CMMC for new contracts as soon as May 2023.

CMMC is intended to protect "controlled unclassified information," or CUI--information that falls outside the classified level but could still cause major damage to the Pentagon if accessed by hackers. In recent years, infamous incidents such as the SolarWinds attack in 2019 have raised awareness about the seriousness of network intrusions.

"If you're in the market of providing support to the Department of Defense, the market conditions have changed because the department is essentially saying, 'If you want to do business with us, we need to be able to trust that you are valuing our data as much as we do, and therefore protecting it to the standard that we need to protect it,'" said Matt Travis, president of the CMMC assessor accreditation organization The Cyber AB.

Companies doing business with the Defense Department that involve sensitive, unclassified information are legally required to implement controls and cybersecurity measures to protect the material. CMMC will require that companies prove their data security practices through an assessment process.

When the Pentagon rolled out CMMC 2.0 November 2021, it reduced the certification levels from five to three and allowed some companies to self-assess rather than have an authorized assessor document their compliance.

The three levels are based on how sensitive the controlled information that the defense company deals with is, one being the least sensitive and three being the most, according to the Defense Department. If a business deals with less sensitive information, it is more likely it would be able to do a self-assessment instead of needing a third party to do it.

Despite the changes, one of the biggest problems with CMMC 2.0 is that defense companies still aren't clear on the rules and implementation of the standards that they will have to meet if they want a government contract.

Of the commenters that weighed in during a public comment period for...