Pentagon updates cyber certification guidelines for industry

The US Department of Defense has issued a new, updated version of cyber-security guidelines and certifications for industry-led programme development efforts, in the hope of simplifying and increasing the ethical standards of the certification regime.

The new version of the Cybersecurity Maturity Model Certification (CMMC), dubbed “CMMC 2.0”, will seek to disentangle the somewhat complicated parameters of the CMMC standards governing the safeguarding of sensitive data tied to development of advanced programmes and platforms for the US armed forces. The CMMC 2.0, officially unveiled on 4 November, provided specific clarity on elements of “cyber security [regulations], policy, and contracting requirements”, according to a department statement on the new policy.

“CMMC 2.0 will dramatically strengthen the cyber security of the defence industrial base,” said Deputy Assistant Secretary of Defense for Industrial Policy Jesse Salazar. “By establishing a more collaborative relationship with industry, these updates will support businesses in adopting the practices they need to thwart cyber threats while minimising barriers to compliance with DoD requirements,” he added in the statement.

Salazar, along with Deputy Assistant Secretary of Defense for Cyber Policy Mieke Eoyang, Deputy Chief Information Officer for Cybersecurity David McKeown, and Executive Director of US Cyber Command David Frederick, co-chaired the internal review of the CMMC, which resulted in the release of the new version of the policy.

The biggest point of clarification and streamlining department officials made in CMMC 2.0 is consolidating the five-tiered assessment of cyber-security compliance down to three.