The journey to secure our nation’s military secrets, specifically controlled unclassified information (CUI) has been anything but swift. But now, after years of delay, the tide is turning. The Department of Defense (DoD) has published a cybersecurity ecosystem called the Cybersecurity Maturity Model Certification program to protect what matters most.
The process began with the introduction of DFARS 252.204-7012 in 2016, aimed at safeguarding Controlled Unclassified Information (CUI). This regulation required compliance with NIST SP 800-171r2, a set of security controls designed to protect sensitive data by the end of 2017 for all DoD contractors.
However, the Defense Industrial Base (DIB) contractors struggled to meet compliance, raising concerns about the security of critical information. Many contractors didn’t comply and with over 300,000 DIB contractors, the task of auditing them fell to the relatively small DIB Cybersecurity Assessment Center (DIBCAC).
Recognizing the gaps in compliance and the huge task of assessing so many contractors, the DoD introduced the Cybersecurity Maturity Model Certification (CMMC) in January of 2020, which created an ecosystem of consultants and assessors and mandated third-party assessments.
The rollout of CMMC was met with resistance and concerns from contractors. In response, the DoD introduced CMMC 2.0 in November 2021, simplifying requirements while maintaining rigorous security standards.
Since November 2021, the DoD has been re-writing CMMC 2.0. The resulting publishing in October was a simpler version of the original. The number of certification levels was reduced from five to three, and the process was aligned more closely with existing NIST SP 800-171 requirements.
Looking forward, the published CMMC 2.0 rule will take effect on December 16, 2024, requiring many contractors to pass third-party cybersecurity assessments. Title 48 will follow which will give the DoD the ability to include CMMC in their purchase orders starting in 2025.
It’s been a long time coming, but the implementation of CMMC 2.0 marks a pivotal moment in protecting our national security interests. The road here wasn’t easy, but the stakes are too high to delay any further. Now is the time for contractors to rise to the challenge, ensure compliance, and secure the future of our defense capabilities.
Schedule a free 15-minute consultation with our cybersecurity experts to answer your questions about starting your CMMC implementation.
About AXIOTROP, LLC:
AXIOTROP’s mission is to make cybersecurity accessible, attainable, and sustainable for small and medium-sized businesses so they remain competitive and poised for growth. We simplify cybersecurity by working closely with businesses to right-size their program for their needs, resulting in client retention, business expansion, and reduced risk.
Comments