Pentagon issues revised cyber standards for contractors
US Pentagon in Washington DC building looking down aerial view from above
Martin Matishak November 4, 2021

Pentagon issues revised cyber standards for contractors

Pentagon issues revised cyber standards for contractors

The Defense Department on Thursday released a revamped framework and digital security standards for contractors that is intended to “minimize barriers” for compliance.

The updated Cybersecurity Maturity Model Certification, dubbed “CMMC 2.0,” is the result of a months-long internal review by the Pentagon after industry groups and contractors expressed concerns about the scope of the effort, which began to take shape in 2019, and that it could become another source of red tape in the already bureaucracy-heavy Pentagon.

“CMMC 2.0 will dramatically strengthen the cybersecurity of the defense industrial base,” Jesse Salazar, deputy assistant secretary of defense for industrial policy, said in a statement. “By establishing a more collaborative relationship with industry, these updates will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DoD requirements.”

The original framework’s five-tier system is pared down to three under the new model. It also no longer requires every defense contractor to obtain a third-party certification if they don’t handle “controlled unclassified data” —a generalized classification for information which in this instance would predominantly mean DoD systems, including weapons.

Companies that do deal in such information must meet the top tier of the new model and get a third-party certification proving they possess certain cybersecurity standards before they could receive a contract award. 

However, the new framework also contains a broader waiver process for contractors.

Last week John Sherman, President Joe Biden’s nominee for Pentagon chief information officer, said he wanted to update CMMC to make it easer for companies to adhere to the department’s cyber standards.

“If confirmed, there’s a number of things I’d want to do to” the program to make it “not onerous” for small and medium-sized businesses, he told the Senate Armed Services Committee.

Martin is a cybersecurity reporter for The Record. He spent the last five years at Politico, where he covered Congress, the Pentagon and the U.S. intelligence community and was a driving force behind the publication's cybersecurity newsletter.