Alex Whitworth, director of sales at Carahsoft Technology, said companies should review their security practices to identify and address gaps as the Department of Defense is finalizing the second version of its Cybersecurity Maturity Model Certification program.
Whitworth wrote in a blog post published Tuesday that DOD’s CMMC 2.0 model has three maturity levels that defense contractors will aim to achieve through different methods of assessment.
He noted the department plans to require an annual self-evaluation and leadership affirmation for the first maturity level and divide the next level into two categories, one of which applies to vendors that will handle data critical to national security missions.
The initial CMMC iteration, according to Whitworth, required contractors to undergo an independent third-party audit at each of the five maturity levels for cybersecurity preparedness.
DOD previewed changes to the program in November 2021 after senior agency leaders completed an internal review in a move to ensure that industry partners have the capacity to safeguard defense information against cyberattacks.
“Ultimately, the CMMC guidelines will continue to evolve based on community feedback,” Whitworth said.
“While the program is finalized, organizations should press forward with security enhancements and preparing for compliance with the new standards.”