The Department of Defense (DoD) has revised the Cybersecurity Maturity Model Certification (CMMC) program to remove the certification requirement for suppliers of commercial-off-the-shelf products, FedScoop reported Tuesday.
The CMMC website previously stated that all DoD contractors must achieve certification regardless of whether they process controlled unclassified information or not.
Katie Arrington, chief information security officer for defense acquisition and sustainment and 2020 Wash100 Award winner, told the publication in an email that the revision serves as “a clarification based on the existing rule.”
Arrington’s comments come after the DoD selected the National Institute of Standards and Technology to develop requirements for independent assessors responsible for vetting contractors.
The DoD intends to require contractors to meet five levels of cybersecurity maturity as part of the CMMC program. Plans are in place to integrate the framework into all defense contracts by 2026.
According to FedScoop’s report, the recent revision took place between March 19 and April 11.