- The new cybersecurity framework will soon enter into force
- The CMMC will see more complicated rules for possible suppliers.
- This is the second iteration of these regulations.
A new set of requirements for possible suppliers of the Department of Defense has just been published. The new certification of the cybersecurity 2.0 (CMMC) maturity model prevents strict compliance demands for any potential contractor for the DOD, which will officially operate on November 10, 2025.
“We hope that our suppliers will put the national security of the United States at the top of their priority list,” said Katie Arrington, director of Interim Information of the Pentagon, in a statement. “When complying with cybernetic standards and achieve CMMC, this shows that our suppliers are doing exactly that.”
The new cybersecurity framework operates on three different levels of compliance that depend on the sensitivity of the data that is handled. The suppliers will not be eligible for the contracts of the Department of Defense if they do not meet the requirements.
A second attempt
Implementing the CMMC was a difficult and long process, and cybersecurity was delayed the requirements during the first Trump administration, arguing that the rules are excessively complicated and that SMEs are too loaded by regulations.
In the second version of these requirements, the compliance process has been simplified, with only three evaluation levels below five. Suppliers can self -assess their cybersecurity at the lowest level of sensitivity, but level two must be verified by a certified third parties, and level three will require an evaluation of the cybersecurity evaluation center of the Industrial Defense Base.
The new requirements also establish ‘action plans and milestones’ that will help contractors who do not comply with the regulations by allowing them 180 days of a conditional certification as they work to comply.
Earlier this year, the United States Department of Defense was urged to address serious IT systems failures after the programs could not be below the required performance standards, with four critical defense systems identified without “plans developed to implement a more rigorous cybersecurity approach, zero trusted architecture, on the deadline of 2027”.
