The cybersecurity certification will move forward even as companies continue to have questions about what defines controlled but unclassified information, cloud services and other requirements.
The final rule for the Cybersecurity Maturity Model Certification released Oct. 11 did not contain many significant changes, but there are still some areas that industry wants more clarification and guidance on.
CMMC is the Defense Department’s effort to secure so-called controlled but unclassified information that resides in contractors’ systems. The rule sets up a program for third-party certification for compliance with the National Institute of Standards and Technology’s 800-17 standard.
One area that still needs clarification is the definition of what exactly is CUI, according to Eric Crusius, an attorney at the law firm Holland & Knight.