“The Defense Department is significantly scaling back a program it rolled out last year to validate the cybersecurity of its suppliers through third-party audits and is halting its implementation until the changes are official…”
“’Until the CMMC 2.0 changes become effective through both the title 32 CFR and title 48 CFR rulemaking processes, the department will suspend the CMMC piloting efforts, and will not approve inclusion of a CMMC requirement in DoD solicitations,’ reads a notice set to publish Friday in the Federal Register. ‘The CMMC 2.0 program requirements will not be mandatory until the title 32 CFR rulemaking is complete, and the CMMC program requirements have been implemented as needed into acquisition regulation through title 48 rulemaking.’…”
“According to the notice, CMMC 2.0 would reduce the model to three levels. All level one contractors would be allowed to self attest to their cybersecurity. The notice said level three contractors would be ‘bifurcated’ into priority and non-priority acquisitions with the former also being able to avoid an independent third-party assessment. Rules for the third and highest level are yet to be determined…”
“Another major change under CMMC 2.0 would be in the department’s acceptance of a Plan of Action and Milestones—or PoAMs, a sort of to-do list with deadlines—from contractors. Former CMMC leader Katie Arrington, currently on leave while suing the department over alleged mishandling of classified information, had said PoAMs would not be considered and that companies would have to be certified to their required level of the standard at the time of contract approval…” Read the full article here.
Source: DOD Suspends Cybersecurity Certification Program Pending Major Changes – By Mariam Baksh, November 4, 2021. Nextgov.
