The United States Department of Defense (DoD) introduced a new program that independent defense contractors must pass before they’re allowed to bid for DoD contracts.

These new regulations are aimed at improving the US’s overall national security and keeping better control over sensitive information that defense contractors may have. It went into effect with the finalization of the Cybersecurity Maturity Model Certification (CMMC) program’s latest changes.

The changes to these rules were first proposed in December 2023. These changes would modify other rules introduced in 2021 when the DoD published an updated CMMC program. After a commentary period, more changes were made in February 2024. After years of deliberation, the rules were finally passed.

The new rules created a simplified 3-level system protecting contractors and the government. Companies are free to self-assess themselves to ensure they meet the current guidelines. Level 1 provides basic protection of FCI and allows for self-assessments. 63% of contractors will need to be level 1, based on DoD analysis.

Level 2 includes general protection of the CUI. It’s open to both self and third-party assessments. Roughly 36% of contractors will need to meet level 2 protections. Level 3 gives enhanced protection to CUI against advanced persistent threats (APTs). Only 1% of companies will need to have this level of protection.

On top of meeting these regulations, companies will also be required to reassess themselves annually, to make sure that they continue to stay safe. Contractors can also acquire a conditional certification for 180 days to catch up to these new rules. This way, they’re not left behind by the new changes.

“CMMC provides the tools to hold accountable entities or individuals that put US information or systems at risk by knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches,” the DoD explains in its press release.