The U.S. Department of Defense is set to enforce new cybersecurity requirements for federal contractors through the Cybersecurity Maturity Model Certification (CMMC) program. These rules will require contractors in the supply chain, including subcontractors, to obtain certifications that confirm compliance with cybersecurity standards, particularly those handling Controlled Unclassified Information (CUI).
Key Points
- The CMMC programme has three levels of certification based on the sensitivity of the information handled.
- Level 1 focuses on Federal Contract Information (FCI) requiring self-certification.
- Level 2 involves more stringent controls for CUI, including third-party certifications for many contractors.
- Level 3 applies to the most sensitive CUI, requiring detailed compliance and assessments from specialised bodies.
- A significant number of companies in the Defence Industrial Base (more than 220,000) will be affected by these changes.
- Compliance costs have been a concern for small and medium businesses, but the DOD’s rollout is making it essential for them to adapt.
Why should I read this?
If you’re involved in defence contracting, this article is a must-read! The new cybersecurity requirements could significantly change how businesses operate within the DOD supply chain. Understanding these obligations can save you from being sidelined or struggling with compliance, giving your organisation a better shot at contracts in the future!
