The Department of Defense (DoD) recently announced significant changes to its Cybersecurity Maturity Model Certification (CMMC) program intended to simplify the requirements and ease the compliance burden on contractors. Unlike its predecessor, the new CMMC 2.0 moves to three compliance levels rather than five; aligns the required security controls (known as practices) with National Institute
Christopher Hebdon
NIST Finalizes Enhanced Security Requirements for Combating Advanced Cyber Threats
The National Institute of Standards and Technology (NIST) recently released the final version of NIST Special Publication (SP) 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information. Designed to supplement the requirements in NIST SP 800-171—the applicable standard under DFARS 252.204-7012—800-172 provides 35 enhanced security requirements to protect controlled unclassified information (CUI) associated with…
DoD and GSA Take Aim at Supply Chain Risks
The Department of Defense (DoD) recently implemented additional procedures for the mitigation of cybersecurity risks in its supply chain. Designed to identify and mitigate cybersecurity and related supply chain risks throughout a program’s lifecycle, DoD Instruction 5000.90, Cybersecurity Acquisition Decision Authorities and Program Managers, requires program managers to:
- Assess contractors’ cybersecurity posture, including, where
…
The DoD’s Own Cyber Monday: Defense Department Releases CMMC Assessment Guides
Fresh off the heels of the DFARS Interim Rule, the Department of Defense (DoD) released Assessment Guides for Levels 1 – 3 of the Cybersecurity Maturity Model Certification (CMMC). These Guides will be used by Certified Assessors to determine whether contractors have satisfied the practices and processes required to attain CMMC certifications at…
NIST Enhances Final Draft of NIST SP 800-172, Enhanced Security Requirements
The National Institute of Standards and Technology (NIST) recently released the final public draft of NIST Special Publication (SP) 800-172, formerly known as Draft NIST SP 800-171B. Building on the security requirements in NIST SP 800-171, the applicable standard under DFARS 252.204-7012, 800-172 provides 34 enhanced requirements to protect Controlled Unclassified Information (CUI)…
Just in Time for Spring: Revision 2 to NIST SP 800-171 Comes into Full Bloom
The National Institute of Standards and Technology (NIST) recently released its final version of Revision 2 to the cybersecurity standard NIST Special Publication (SP) 800-171. While the security controls remain unchanged, Revision 2 now incorporates implementation guidance into each control. Importantly though, such guidance remains non-binding and is not intended to extend the scope of…
No More “Wait & See” for CMMC: DoD Releases Final Cybersecurity Maturity Model Certification
The Department of Defense (DoD) has released Version 1.0 of the Cybersecurity Maturity Model Certification (CMMC), Appendices A-F, and an Overview Briefing. While Version 1.0 largely mirrors the draft Version 0.7, the final version includes notable revisions, such as:
- Process and Practice Descriptions in Appendix B, which include discussions and clarifications
…
DoD Acquisition Chief Looks Back at the Year that Was and Previews the Year to Come
On December 10, 2019, Under Secretary of Defense for Acquisition and Sustainment, Ellen Lord, briefed the press on the Department of Defense’s (DoD) significant acquisition reform achievements in 2019 and outlined many of the DoD’s top priorities for the coming year. Among a litany of other topics, the Secretary discussed efforts to streamline the…