The Department of Defense has started soliciting comments on a proposed rule that seeks to establish requirements to ensure that defense contractors and subcontractors implement DOD’s cybersecurity protection requirements for federal contract information and controlled unclassified information as part of the Cybersecurity Maturity Model Certification program.
The CMMC program is designed to improve protection of FCI and CUI when it is processed, transmitted or stored on information systems of contractors to meet threats and protect sensitive unclassified data that supports warfighters, according to a Federal Register notice published Tuesday.
Aside from safeguarding sensitive information, CMMC seeks to implement cybersecurity standards within the defense industrial base, ensure accountability while minimizing barriers to compliance with DOD requirements and foster a collaborative culture of cybersecurity and cyber resilience.
The CMMC 2.0 program has three features: tiered model, assessment requirement and implementation through contracts.
DOD said the implementation of CMMC seeks to address several policy issues, including verification of a vendor’s cybersecurity posture, comprehensive implementation of cyber requirements and reduction of repetitive or duplicate requirements.
Comments are due Feb. 26.
