The US Defense Department has recently tightened cybersecurity guidelines required by contractors to work with the Pentagon. For nearly the past year and a half, the DoD has been taking steps to fully adopt a strict cybersecurity framework called CMMC that requires businesses to refine their cybersecurity measures.
While CMMC is still in the process of being rolled out and enacted, the DoD’s CISO, Katie Arrington, cautioned businesses not to wait to factor in cybersecurity costs; she warned that they need to be preparing now for fast-approaching changes.
The decision to drastically update security with the new framework came in the wake of several cyber breaches which compromised personal data and state documents belonging to the DoD and federal government in previous years. Despite wisening up against threats to its cybersecurity systems, the DoD is finding it tough to seal loopholes in its framework rendering the organization powerless to hackers.
The creation of CMMC was announced in January of 2020. Since then, one of the most significant announcements came in the form of the Interim Rule, which was announced in September and enacted at the end of November 2020. This rule incentivized contractors to complete a self assessment and plan of action for updating security. Many contractors turned to CMMC consulting professionals in order to meet the deadline for the Interim Rule.
The Final Rule on Cybersecurity Maturity Model Certification
According to the division’s chief information security officer for acquisition and sustainment, Katie Arrington, the publication of the interim rule on Cybersecurity Maturity Model Certification (CMMC) in September attracted general comments from industry players the defense department is attempting to adjudicate.
In her address during a Deltek Webinar, she mentioned this, assuring contractors that the team is working to ensure the final rule updating September’s interim policy goes final in roughly a month. However, she advised businesses to avoid hesitating to factor in cybersecurity costs since they have to begin preparation for the impending changes.
Meanwhile, the official program’s lead has disclosed that the final Defense Federal Acquisition Regulation Supplement (DFARS) policy will require every contractor to have a third-party network inspection before they can work with the Department of Defense. The modification is expected to be completed within the next 30-40 days.
Katie Arrington has indicated that issuing an interim rule isn’t the standard; however, it was necessary to get the industry contractors on board, and now a final rule will cement the action plan for moving forward with CMMC compliance.
CMMC and Other Government Cyber Compliance Plans
The most significant inquiry regarding the new standards has been about correspondence among CMMC and other government cyber compliance plans. Although Arrington didn’t say what tradeoff might be coming, she noted that direction would soon be released in CMMC Assessment Guides the DoD is putting together.
Different pieces of the CMMC DFARS policy will affect contractors before they need to get an appraisal. Contractors will presently need to present a cyber-compliance self-assessment to the Department of Defense as indicated by the standard. Although that procedure is independent of the CMMC assessment, it may assist businesses to prepare for their inspection by testing themselves first.
According to Arrington, although no organization has been given full clearance to offer assessment, businesses will have to wait for the assessor to align with the third-party assessment organization.