US DOD’s CMMC 2.0 rules lift burdens on MSPs, manufacturers

New cybersecurity rules for US Department of Defense (DOD) contractors are entering the home stretch. The rules, which establish a comprehensive and scalable assessment mechanism within the agency’s Cybersecurity Maturity Model Certification (CMMC) program, aim to ensure that contractors and subcontractors are implementing information security measures required by the DOD.

The department, which has largely depended on security self-assessments by its suppliers in the past, has been criticized for some time by its inspector general for weak supervision of its suppliers. In a report released in December, IG Robert P. Storch noted his agency issued five reports from 2018 to 2023 which consistently found that DOD contract officials failed to establish processes to verify that contractors complied with selected federal cybersecurity requirements for controlled unclassified information (CUI) as required by the National Institute of Standards and Technology (NIST).

Storch also pointed out that, since 2022, his office has participated in five US Department of Justice investigations targeting government contractors and grant recipients suspected of fraudulently attesting their compliance with NIST cybersecurity standards.

CMMC a way to assure security in the DOD supply chain

“The CMMC requirements are a response to the DOD inspector general’s reports as a way to assess and verify compliance with the department’s security requirements,” says Brian Kirk, a senior manager for information assurance and cybersecurity at accounting and consulting firm Cherry Bekaert. “The aggregate loss of intellectual property and CUI from the DOD supply chain severely undercuts the U.S. technical advantage and disrupts business opportunities and ultimately threatens our national defense and economy.”

“By incorporating cybersecurity into acquisition programs,” Kirk continues, “the CMMC program provides the department assurance that contractors and subcontractors meet DOD cybersecurity requirements and provides key mechanisms to adapt to the evolving threat landscape. It’s a way for the department to assure security in the supply chain.”

Important change in how CMMS rules treat managed service providers

Robert Metzger, cybersecurity practice chair at the law firm of Rogers Joseph O’Donnell, says, “I see the rule as reaffirming the decision that self-attestation is insufficient for most DOD suppliers who have CUI and keeping the bar high in expecting NIST standards will be met.”