The Department of War today announces the immediate suspension of the Cybersecurity Maturity Model Certification (CMMC) Phase II requirements, which were originally scheduled to come into effect on November 10, 2026. All Phase I self-assessment requirements remain firmly in place.

  • sylver_dragonOP
    link
    fedilink
    English
    arrow-up
    3
    ·
    12 hours ago

    More like, the business are whining that security is hard and expensive; so, they shouldn’t be required to do it.

    While I’m no fan of checkbox security, CMMC was kinda like the sign in front of rollercoasters. Except instead of a minimum height, CMMC was saying, “your network must be at least this secure to hold CUI”.

    Seriously, I dealt with this stuff for years as a contractor for the US FedGov. It’s not rocket science. It’s not even hard. But, it does require that you document your shit and do a bit better than accepting the defaults. It won’t make your network secure. But if you are struggling to meet the basic controls, I guarantee that your security is bad.

    • solrize@lemmy.ml
      link
      fedilink
      English
      arrow-up
      1
      ·
      12 hours ago

      CMMC is more about how well your processes work. Low level = more chaotic, stuff basically works but people have to scurry around and improvise when it breaks. Mid level = it can break but procedures for fixing it are documented and regular, and various good practices are followed to make it reliable. High level = can’t break, very rigorous standards. No attempt at certifying to any level at all = never mind, just wing everything.

      I wonder how much turning everything into piles of AI crap is involved with this.