Critical Infrastructure Security, Government security, Government Regulations

CMMC enforcement commences

(Air Force Staff Sgt. Brittany A. Chase/DoD)

The U.S. Defense Department has begun enforcing its Cybersecurity Maturity Model Certification program for defense contractors and subcontractors aimed at ensuring their capability to protect Federal Contract Information and Controlled Unclassified Information, SecurityWeek reports.

Initial enforcement, which commenced on Nov. 10, mandates contractors to fulfill Level 1 and Level 2 self-assessments that gauge compliance with FCI protection and CUI safeguarding requirements, respectively. Contractors will later be compelled to accomplish third-party evaluations for Level 2 certifications for new contracts as part of the second phase of CMMC, which begins on Nov. 10, 2026.

After introducing Level 3 requirements covering CUI protection against advanced persistent threats on Nov. 10, 2027, contractors will be forced to complete CMMC implementation across all contracts by Nov. 10, 2028. Secureframe CEO Shrav Mehta expressed concern about how such a "GDPR-level event" could impact subcontractors without adequate data security resources or expertise. Findings from a recent CyberSheath report also showed total CMMC readiness among only 1% of defense contractors this year.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds