The Defense Department released one of the last major pieces to complete the Cybersecurity Maturity Model Certification (CMMC) program puzzle.
The Pentagon issued an interim rule under the Defense Federal Acquisition Regulations on Sept. 29 to add more clarity around the implementation timeline and around the requirements contractors will have to adhere to over the next five years.
One surprise among observers is the new requirements for vendors working at medium or high security levels to undergo an assessment by the government of how they comply with the standards outlined in Special Publication 800-171 from the National Institute of Standards and Technology.
“The assessment uses a standard scoring methodology, which reflects the net effect of NIST SP 800-171 security requirements not yet implemented by a contractor, and three assessment levels (basic, medium and high), which reflect the depth of the assessment performed and the associated level of confidence in the score resulting from the assessment,” the interim rule stated. “A basic assessment is a self-assessment completed by the contractor, while medium or high assessments are completed by the government. The assessments are completed for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order.”