The Department of Defense (DoD) has faced pressure to adopt a more flexible approach to the Cybersecurity Maturity Model Certification (CMMC) requirements. Critics argue that the current minimum score needed to qualify for Plan of Action and Milestones (POA&M) is too high, making it difficult for contractors to meet the necessary criteria.
According to experts in the field, DoD mandates that contractors must pass 80% of the 110 specified requirements in a special publication to be eligible for any POA&M closures over a six-month period. Additionally, there are 45 critical cyber requirements within this group of 110 that must be met on the first attempt, regardless of the overall score, in order to receive a POA&M for closure.
In response to these challenges, contractors are being encouraged to proactively engage in CMMC assessments within a 60-day window following the publication of the new rule in the Federal Register. Brian Kirk, a senior manager for information assurance and cybersecurity at Cherry Bekaert, a C3PAO, emphasizes the importance of conducting thorough assessments to ensure that contractors’ cybersecurity practices align with DoD standards.
As a C3PAO, Cherry Bekaert is authorized to independently evaluate contractors’ cybersecurity controls and practices to verify compliance with the required security standards outlined by DoD. By taking a proactive approach to assessments, contractors can identify and address any gaps or vulnerabilities in their cybersecurity posture, ultimately enhancing their ability to meet CMMC requirements.
The push for greater flexibility in CMMC requirements reflects a growing awareness of the evolving cybersecurity landscape and the need for organizations to adapt to meet emerging threats. As cyber threats continue to evolve and become more sophisticated, it is essential for contractors to prioritize cybersecurity measures and ensure compliance with DoD standards to safeguard sensitive information and critical infrastructure.
By encouraging contractors to take a proactive approach to CMMC assessments and addressing potential challenges with the current requirements, DoD and industry experts are working towards a more resilient and secure cyber environment. As the cybersecurity landscape continues to evolve, it is critical for organizations to stay abreast of emerging threats and regulations to protect sensitive data and maintain operational integrity.