New CMMC Rule Offers Tiered Security Levels for Contractors

The U.S. Department of Defense released a draft of a long-awaited proposed rule for the Cybersecurity Maturity Model Certification program that aims to simplify compliance, enhance public-private coordination and better protect sensitive information from cyberthreats.

See Also: OnDemand Panel | Unlocking the Enigma of Government Zero Trust Challenges

The proposed rule, designed to establish a security framework for the defense industrial base, introduces a tiered security model for contractors and subcontractors who manage sensitive unclassified information. The tiers are categorized into three levels. Level 1 represents the most basic security measures and Level 3 requires the most advanced ones.

Contractors categorized at CMMC levels 2 and 3 would need to perform third-party compliance assessments. Contractors would also be required to achieve certain CMMC levels in order to compete for certain contract awards, according to the draft.

The Tuesday release of the draft begins a 60-day comment period. The Defense Department initially announced its plans for “CMMC 2.0” in November 2021.

The more than 200-page draft lays out specific security requirements for contractors under each tiered level and tasks Level 1 contractors with implementing 15 security measures contained in the Federal Acquisition Regulation. The requirements become more advanced at each tier. Level 2 contractors would be required to implement 110 security measures outlined in NIST SP 800-171, in addition to meeting the Level 1 requirements. Level 3 contractors would be tasked with meeting the Level 1 and Level 2 requirements, in addition to implementing 24 additional security measures outlined in NIST SP 800-172.

The Pentagon would assess Level 3 security compliance, the rule says, and contractors would be granted 180 days after an assessment to develop and complete plans of action for security requirements they failed to meet.

Under the proposed rule, Level 1 contractors would be allowed to maintain federal contracting information, while Level 2 and Level 3 contractors would be able to maintain certain controlled unclassified information. All CMMC contractors would be required to report their security assessments to Defense, but Level 1 and Level 2 contractors would be allowed to conduct self-assessments.

The Pentagon expects it will save money by allowing the first two tiers of contractors to do their own assessments, reserving personnel from the Defense Industrial Base Cybersecurity Assessment Center for the final tier.