The Defense Department has released one of the last major pieces to complete the Cybersecurity Maturity Model Certification (CMMC) program puzzle: an interim rule under the Defense Federal Acquisition Regulations to add more clarity around the implementation timeline and around the requirements contractors will have to adhere to over the next five years. DoD estimates more than 26,000 small businesses would be impacted by this new rule at the basic assessment level.
Observers were surprised by new requirements for vendors working at medium or high security levels to undergo an assessment by the government of how they comply with the standards outlined in NIST Special Publication 800-171.
