"DoD Suspends Cybersecurity Certification Program Pending Major Changes"

The US Department of Defense (DoD) has scaled back the Cybersecurity Maturity Model Certification Model (CMMC) program it rolled out in 2020 to verify the cybersecurity of DoD suppliers. The implementation of the program has been stopped until the changes are made official. The program was supposed to be rolled out over a five-year period with the goal of requiring every defense contractor in possession of certain Controlled Unclassified Information (CUI) to be certified by a third party to show that they are compliant with the CMMC standard. The department will suspend CMMC piloting efforts until CMMC 2.0 changes become effective through title 32 CFR and title 48 CFR rulemaking processes. When the title 32 CFR rulemaking is complete, and the CMMC program requirements have been implemented, as needed, into acquisition regulation through title 48 rulemaking, the CMMC 2.0 program requirements will become mandatory. The previous iteration of the CMMC framework mapped cybersecurity processes and practices across five maturity levels. CMMC 2.0 will reduce the model to three levels, removing levels two and four. This article continues to discuss the purpose of CMMC and the enhanced CMMC 2.0 program. 

NextGov reports "DoD Suspends Cybersecurity Certification Program Pending Major Changes"