"The defense industry has had nearly a decade of warnings, but today (Monday, Nov. 10) marks the day that companies need to start complying with the government's standards around how they protect controlled unclassified information. Of course, they should have been complying with the National Institute of Standards & Technology's SP 800-171 standard for the last eight years. But now the Cybersecurity Maturity Model Certification program begins in earnest."
"One year from today (Nov. 10, 2026), DOD will step things up by requiring Level 2 certification. This requires a third-party assessment of compliance with all 110 controls in the standard. Then in the following year (Nov. 10, 2027), contracting officers can start requiring Level 3. This requires a higher level of certification, often involving an assessment by the Defense Industrial Base Cybersecurity Assessment Center."
CMMC compliance becomes required beginning Nov. 10, with new defense contracts demanding at least Level 1 certification. Level 1 relies on self-certification for 15 SP 800-171 controls that address basic cyber hygiene. On Nov. 10, 2026, the Department of Defense will require Level 2 certification, entailing a third-party assessment of all 110 SP 800-171 controls. Starting Nov. 10, 2027, contracting officers may require Level 3 certification, which involves higher scrutiny and assessments such as those by the Defense Industrial Base Cybersecurity Assessment Center. The push to certify compliance traces back to 2017 and has been refined across administrations. Industry preparedness varies, with some firms already compliant and others skeptical or unprepared, according to security and cloud solutions managers.
Read at Nextgov.com
Unable to calculate read time
Collection
[
|
...
]