- New Cyber Security Frames will soon take effect
- CMMC will see more complicated rules for potential suppliers
- This is the second iteration of these rules
A new set of requirements has just been published for potential defense providers. The new Cyber Security Maturity Model Certification 2.0 (CMMC) standards outlines strict observations for any potential contractors for DOD, who will officially enter into force November 10, 2025.
“We expect our suppliers to put us national security at the top of their priority list,” Katie Arrington, acting Pentagon Chief Information Officer, said in a statement. “By complying with cyber standards and achieving CMMC, this shows that our suppliers do exactly it.”
The new cyber security framework works at three different levels of compliance depending on the sensitivity of the data handled. Sellers are not eligible for DOD contracts if they do not meet the requirements.
Another attempt
Implementation of CMMC was a difficult and long -lasting process, and cyber security pushed back against the requirements of the first Trump administration and argued that the rules are overcomplicated and that SMEs are excessively burdened by the rules.
In the second version of these requirements, the compliance process has been simplified with only three assessment levels down from five. Suppliers can self -assess their cyber security at the lowest level of sensitivity, but level two must be verified by a certified third -party assessment, and level three requires assessment from DEFENSE Industrial Base Cybersecurity Assessment Center.
The new requirements also indicate ‘action plans and milestones’ that will help contractors who do not meet the rules by allowing them 180 days with a conditional certification when working to become compatible.
Earlier this year, the US Department of Defense was called to tackle serious IT systems after programs were found to fall under required performance standards – with four critical defense systems identified without “developed plans to implement a more strict cyber security method – Zero Trust Architecture – at the 2027 deadline.”
