While Cybersecurity Maturity Model Certification (CMMC) has received bad press lately for potential misdealing by a board member AND the actual certification process would lose a race to molasses in January, the Defense Department nevertheless released an interim rule this week ( that will require contractors to prove they are keeping up with key cybersecurity measures.  The interim rule, effective November 30th, creates three levels for cybersecurity assessments, basic, medium, and high.  Each level requires contractors to apply the security requirements of NIST SP 800-171 to “covered contractor information systems”’. 

This includes even those systems that are not part of an IT service or system operated on behalf of the government.  It is important to remember that compliance with NIST SP 800-171 was required before CMMC requirements were created and that CMMC was only created because companies had failed to implement the mandated security protocols in the first place. CMMC certification, itself, will be required of all DOD contractors handling “Controlled, Unclassified Information” by October 20205.  CMMC certification, though, is slow coming out of the starting gate.  The interim rule may be a step to keep pressure up on industry to ensure compliance.  While industry may have expected a proposed rule, DOD believes that the requirements are critical enough to start with an interim measure.  Companies can comment on the rule until the November 30th effective date