The foundation of the Cybersecurity Maturity Model Certification (CMMC) — the Department of Defense’s new cyber requirements for contractors — will see some coming changes, its leaders recently said.
The DOD will make alterations to the highest level of the five-tier security model after receiving public comments on the recently issued CMMC Defense Federal Acquisition Regulation System rule.
The department issued an “interim final” rule in September instead of first issuing a proposed rule, which meant the rule took effect upon publication. But there was still a 60-day comment period for industry to weigh in. The Office of Management and Budget, which hosts the council overseeing acquisition rules, allowed for this because of “the threat to national security” embedded in supply chain vulnerabilities, Jessica Maxwell, a DOD spokeswoman said in a statement.
“We did not plan to make changes to the DFAR rule,” Maxwell said. She added: “We also recognize that as the threat is not static nor should our model not be static, we are always evaluating the best standards to implement to address relevant threats.”
Continue reading at: FedScoop