In a statement, CEO of the CMMC Accreditation Body Matthew Travis said the updated requirements for cybersecurity contractors, announced Thursday, succeeded in clarifying the standard for contractors.
“The Department of Defense (DOD) approached this from the appropriate risk management perspective and delivered on what the internal review set out to accomplish: clarifying the standard, reducing the cost burden, improving scalability, and instilling greater trust and confidence in the CMMC Ecosystem,” said Travis.
The DOD on Thursday announced the sweeping changes to the CMMC rules, which are intended to substantially reduce the cost for smaller companies seeking to obtain the approval of their cybersecurity measures required to bid on defense contracts.
Major changes to the cybersecurity program include the removal of two levels of security – levels two and four – and the designation of level one as requiring self-attestation from companies only.
The updated guidance also eliminates novel CMMC maturity practices from the standard and identifies limited plans of action and milestones as acceptable forms of remediation for certain CMMC practices.
The CMMC Accreditation Body was incorporated in January 2020 as a non-stock corporation and is responsible for managing and administering CMMC assessment, certification, training and accreditation processes for the defense supply chain.
“There will be some short-term challenges to confront, such as curricula adjustments our training providers will now need to make, and the time requirement for yet another round of federal rulemaking,” Travis added. “But now that there is a definitive way forward, I hope all parties move with alacrity.”
The accreditation body will hold a special town hall Nov. 9. to discuss the changes.