Article Details

New cybersecurity rules land for Defense Department contractors. Now if only someone would remember to apply those rules inside the DoD It's about to get a lot harder for private companies that are lax on cybersecurity to get a contract with the Pentagon, as the Defense Department has finalized a rule requiring contractor compliance with its Cybersecurity Maturity Model Certification (CMMC) program. The final rule, which was released as a preview ahead of its formal publication in the Federal Register on Wednesday, will go into effect on November 9. After that point, all vendors who contract with the DoD (known as the defense industrial base (DIB)) will need to meet one of three levels of CMMC compliance, depending on the sensitivity of unclassified information they handle, in order to be eligible for award consideration once the rule is phased in. CMMC requirements include limiting access to sensitive data, authenticating users with access, imposing physical security rules for facilities where US government data is stored, installing regular software updates, and reporting/remediating any incidents promptly. Meeting Level 1 of CMMC requires an annual self-assessment and attestation. Level 2 may allow a self-assessment in rare cases, but most contracts will require a third-party audit. Level 3 demands a government-led assessment. "We expect our vendors to put U.S. national security at the top of their priority list," said acting DoD Chief Information Officer Katherine "Katie" Arrington. "By complying with cyber standards and achieving CMMC, this shows our vendors are doing exactly that." Arrington, who is performing the duties of DoD CIO without Senate confirmation after rejoining the department earlier this year (possibly due to the fact that her DoD security clearance was suspended over concerns of disclosure of classified data in 2021), was instrumental in helping the DoD develop the CMMC during Trump's first term.  Hey, what about the Department of War? You may have heard that President Donald Trump has recently found another way to drag the United States back into the past by renaming the DoD to the Department of War, a name it hasn't held since 1947. While that's technically true, we're going to keep calling it the DoD; thank you very much.  The US President lacks the authority to unilaterally rename a government branch. That authority is reserved for Congress. The President appears to know this, given his executive order renaming the DoD makes clear that it's just a nickname, despite the government wasting money to change signs and redirect websites (many sites still use the defense.gov URL without a redirect) to make it look like an official action.  While the EO also directs the DoD to submit a recommendation that includes proposed legislative changes to formally rename the branch, that has yet to happen. Vendors seeking contracts with the Pentagon under CMMC have to demonstrate clear evidence that they have conformed to cybersecurity standards set forth in the program, which was made official in October of last year. CMMC only applies to contractors working with information about federal contracts and controlled unclassified information. Classified data and the software systems that handle it are subject to different rules, though that's not to say those rules are always followed.  Vendors objected to many of the requirements imposed on them through the CMMC, leading to the development of a revised [PDF] version. It's that version that was made official last year, and that version that contractors will need to comply with under the rule previewed on Tuesday.  In addition to putting the compliance onus on contractors, the new rule requires DoD contracting officers to specify the applicable CMMC level in solicitations and ensure awards only go to vendors with a current assessment or certification. The Pentagon didn't respond to questions for this story.