Kristen Smith
The Department of Defense’s revised Cybersecurity Maturity Model Certification program is a significant tool that addresses evolving cybersecurity challenges and creates stronger safeguards across the defense industrial base, according to Ted Wagner, vice president and chief information security officer at SAP National Security Services.
In an opinion piece SAP NS2 published on Wednesday, Wagner said the updated CMMC program implements new structure and requirements designed to protect sensitive information and the warfighter, enforce DIB cybersecurity standards, ensure accountability while minimizing barriers to compliance with DOD requirements, perpetuate a collaborative culture of cybersecurity and cyber resilience, and maintain public trust through high professional and ethical standards.
The Cybersecurity Program Has Three Levels of Certification:
- Level 1 focuses on basic cyber hygiene and protecting federal contract information and requires compliance with 15 controls.
- Level 2 is only awarded to entities that implement 110 security requirements outlined in NIST SP 800-171 Revision 2 to ensure protection of FCI and controlled unclassified information.
- Level 3 involves more stringent controls and assessments for higher-level protection of CUI against advanced persistent threats. The certification is valid for three years, with follow-up assessments to be conducted annually to maintain the compliance status.
“The CMMC program has created a working model that streamlines compliance while always falling back on the rigorous standards that are needed to protect CUI,” Wagner said. “As our threat landscape evolves, the growth of the CMMC reflects a broader commitment by the DoD to secure sensitive defense data, enhance accountability, and build a resilient security posture for our nation.”
