DOD Cybersecurity Maturity Model Updates: A Step Forward or Two Back?
The Department of Defense (DOD) has been working to improve the Cybersecurity Maturity Model Certification (CMMC) since its initial release in 2020. The updated model, which was introduced in January 2022, aims to simplify and improve the cybersecurity standards for defense contractors. However, industry experts and contractors are still left wondering if the revised model goes far enough to alleviate their concerns.
A Brief History of CMMC
The CMMC was created to standardize cybersecurity practices across the defense industrial base. The initial model proposed a five-level certification process, with each level representing a different maturity level of cybersecurity practices. However, the initial proposal was met with criticism from industry stakeholders, who felt that the model was overly complex and would be difficult to implement.
The Revised Model
The revised CMMC model, which was introduced in January 2022, streamlines the certification process and reduces the number of levels from five to three. The three levels are:
- Level 1: Basic Cyber Hygiene – This level requires contractors to implement basic cybersecurity practices, such as implementing firewalls and encrypting data.
- Level 2: Advanced Cybersecurity Practices – This level requires contractors to implement more advanced cybersecurity practices, such as implementing incident response plans and conducting regular security training.
- Level 3: Expert Cybersecurity Practices – This level requires contractors to implement the most advanced cybersecurity practices, including implementing artificial intelligence and machine learning-based security tools.
Changes to the Revised Model
The revised model includes several changes that are designed to make the certification process easier for contractors. These changes include:
- Reduced number of practices – The revised model reduces the number of cybersecurity practices from 171 to 110.
- Streamlined assessment process – The revised model streamlines the assessment process by allowing contractors to choose from a range of assessment methods, including self-assessment and third-party assessments.
- More flexible certification requirements – The revised model allows contractors to choose the certification level that is best suited to their business needs.
Industry Reaction
The revised CMMC model has been met with a mixed reaction from industry stakeholders. Some contractors have expressed relief that the model has been simplified and made easier to implement. However, others have expressed concerns that the revised model does not go far enough to address their concerns.
Concerns Remain
Despite the changes to the revised model, concerns remain about the impact of CMMC on small and medium-sized contractors. These contractors may not have the resources or expertise to implement the advanced cybersecurity practices required by the revised model. Additionally, the cost of certification and compliance with the revised model may be prohibitively expensive for small and medium-sized contractors.
Next Steps
The DOD has announced plans to continue to refine the CMMC model based on industry feedback. The DOD is also working to provide more resources and support to contractors who are struggling to implement the revised model. However, it remains to be seen whether these efforts will be enough to alleviate industry concerns.
Conclusion
The revised CMMC model represents a step forward for the DOD’s efforts to improve cybersecurity practices across the defense industrial base. However, concerns remain about the impact of CMMC on small and medium-sized contractors. It is essential for the DOD to continue to work with industry stakeholders to refine the CMMC model and ensure that it is effective and practical for all contractors.
Recommendations for Contractors
Contractors should continue to monitor the development of the CMMC model and be prepared to adapt to any changes. Contractors should also consider seeking guidance from industry experts and taking steps to implement basic cybersecurity practices, such as implementing firewalls and encrypting data. Finally, contractors should be prepared to invest in certification and compliance with the revised model, as the cost is likely to be a significant expense for many contractors.
Recommendations for the DOD
The DOD should continue to work with industry stakeholders to refine the CMMC model and ensure that it is effective and practical for all contractors. The DOD should also provide more resources and support to contractors who are struggling to implement the revised model. Finally, the DOD should consider offering incentives to contractors who achieve high levels of cybersecurity maturity, in order to encourage best practices across the defense industrial base.
Final Thoughts
The revised CMMC model represents a step forward for the DOD’s efforts to improve cybersecurity practices across the defense industrial base. However, concerns remain about the impact of CMMC on small and medium-sized contractors. It is essential for the DOD to continue to work with industry stakeholders to refine the CMMC model and ensure that it is effective and practical for all contractors.


