Author: clara.kinney@agc.org

After months of internal review, the Department of Defense announced it will make significant changes to the Cybersecurity Maturity Model Certification (CMMC) program, now called CMMC 2.0.  Among these changes are: reducing the number of companies that would require a 3rd party assessment, reducing the CMMC rating from 5 levels to 3 levels, suspending CMMC pilot programs until a final regulation, allow for annual self-assessments for certain levels, and brings back Plans of Action and Milestone (POAM).  These changes were met with oppositions from some stakeholders who argue that these changes are counter to DoD policies and President Biden’s recent Executive Orders increasing cybersecurity reporting requirements for businesses. AGC has communicated the difficulty many contractors have had…

On November 8, the Office of the Undersecretary of Defense for Acquisition and Sustainment (OSD) released part of Version 0.6 of the draft Cybersecurity Maturity Model Certification (CMMC). The newly released Version 0.6 includes CMMC Levels 1 – 3, but not Levels 4-5. According to OSD, “CMMC Levels 4-5 are not included in this release because public comments are still being addressed.” The updates to CMMC Levels 4 – 5 are expected to be provided in the next public release. According to OSD the CMMC model will continue to be improved with the finalization of Version 1.0 in January 2020. The Department of Defense (DOD) will begin including the final CMMC model as “go/no go” in all solicitations…

On September 25, AGC of America, along with a coalition of stakeholders, filed comments on Version 0.4 of the draft Cybersecurity Maturity Model Certification (CMMC). According to the Department of Defense (DOD), the CMMC model will continue to be improved over the next several months with the finalization of v1.0 in January 2020. DOD will begin including the final CMMC model as “go/no go” in all solicitations starting in Fall 2020.  DOD envisions at least one additional round of public comments for the draft CMMC Model v0.6 in November 2019. AGC of America was disappointed to see that stakeholders were given just 21 days to review and comment on the v.0.4 CMMC Model. We urge…

On September 4, the office of the Assistant Secretary of Defense for Acquisition released Version 0.4 of the draft Cybersecurity Maturity Model Certification (CMMC) for comment. Under this model, Defense contractors, including subcontractors, will be required to be certified among the different CMMC levels (1-5) in order to be eligible for contract award. The level of security is determined based on the security requirements needs for each defense contract. A departure from previous cybersecurity mandates, CMMC will require contractors to obtain a third-party certification. Public comments are due on September 25th. According to DOD website, the CMMC model will continue to be improved over the next several months with the collaboration of all the stakeholders with the finalization of v1.0 in January…