The US Department of Defense has finalized cyber rules for its suppliers

DoD had been urged to be more flexible

“Many people urged DoD to take a more flexible approach,” he continued. “They wanted a lower minimum score from DOD as is needed to allow any POA&Ms. Essentially, DOD says that when an assessment is done, you have to pass 80% of the 110 stated requirements in that special publication. And if you don’t pass 80% of those, then you’re not eligible for any POA&Ms to close over a six-month interval.”

“But even then, there’s approximately 45 of the most important cyber requirements within that group of 110 that the DOD has said you have to meet on the first try, or they’re not going to let you have a POA&M to close them, even if you have an overall 80% score.”

Contractors urged to get a head start on assessments

Contractors were urged to conduct CMMC assessments during the 60-day period following the publishing of the new rule in the Federal Register by Brian Kirk, senior manager for information assurance and cybersecurity at the accounting and consulting firm Cherry Bekaert, which is a CMMC Third-Party Assessor Organization (C3PAO). C3PAOs are independent entities authorized to evaluate contractors’ cybersecurity practices and controls to ensure they meet the required security standards set by the DOD.