- The new cybersecurity framework will soon come into force
- The CMMC will see more complicated rules for potential suppliers
- This is the second iteration of these regulations
A new set of requirements has just been published for potential sellers of the Ministry of Defense. The new Cybersecurity 2.0 (CMMC) maturity certification standards describe strict requests for compliance for all potential entrepreneurs for DOD, which will officially enter into force on November 10, 2025.
“We expect our suppliers to put US national security at the top of their priority list,” said Katie Arrington, director of the Pentagon, in a statement. “By complying with cyber standards and reaching CMMC, this shows that our sellers do that exactly.”
The new cybersecurity framework operates on three different levels of compliance depending on the sensitivity of managed data. Sellers will not be eligible for DOD contracts if they do not meet the requirements.
A second try
The implementation of the CMMC was a difficult and long process, and cybersecurity postponed the requirements during the first Trump administration, arguing that the rules are too completed and that SMEs are too overwhelmed by the regulations.
In the second version of these requirements, the compliance process has been simplified, with only three levels of evaluation down five. Sellers can self-assess their cybersecurity at the lowest level of sensitivity, but level two must be verified by a certified third party assessor, and level three will require an assessment of the cybersecurity assessment center of the industrial database.
The new requirements have also stated “action plans and milestones” which will help entrepreneurs who do not comply with the regulations by allowing them 180 days of conditional certification when they work to become compliant.
Earlier this year, the US Defense Ministry was invited to combat defects in serious IT systems after programs are not below the required performance standards – with four critical defense systems identified without “plans developed to implement a more rigorous cybersecurity approach – zero confidence architecture – in the 2027 deadline”.
