The Department of Defense is pushing DoD contractors to improve cybersecurity through the Cybersecurity Maturity Model Certification (CMMC) initiative. The CMMC will require DoD contractors to have their cybersecurity audited and certified by an independent third-party auditor.
The move comes in the wake of revelations that self-certification isn’t working for DoD contractors handling Controlled Unclassified Information (CUI). DoD contractors with unsecured networks have fallen victims to data breaches that lead to the loss of government information.
Here’s a roundup of the latest CMMC news in April 2021.
Final CMMC Rule to Be Finalized in a Month
In the latest push to secure cybersecurity in industrial bases, the Department of Defense is set to finalize the Defense Federal Acquisition Regulation Supplement (DFARS) rule in the next 30 to 40 days.
The rule will require industrial base contractors to have third parties inspect their networks before they’re cleared to work with the Department of Defense. First published in September, the Cybersecurity Maturity Model Certification (CMMC) came into effect in December. It had an open comment period to allow stakeholders to provide feedback to the government before the final rollout.
Confirming the timeline, DoD’s chief information security officer, Katie Arrington, said the department had received numerous comments during the interim period. She further confirmed that the DoD was working to adjudicate the industry inputs before finalizing the rule.
Arrington further noted that exceptional circumstances mitigated the need to issue an interim final rule. The move was DoD’s latest push to beef up cybersecurity for industrial base contractors. DoD contractors are vulnerable to massive breaches of government information, making them the weakest links in the supply chain.
Questions still linger as to whether there’ll be reciprocity between existing federal cyber compliance programs and CMMC. Arrington couldn’t confirm reciprocity but offered that DoD is working on CMMC Assessment Guides.
Part of the CMMC DFARs rule requires contractors to self-assess their cyber compliance and submit the report to the DoD. Self-assessment is meant to help companies prepare for the CMMC inspection. Currently, no organizations have been cleared to carry out the CMMC assessment.
Matthew Travis, Appointed as CMMC Accreditation Body First CEO
The CMMC Accreditation Body (CMMC-AB) Board of Directors has appointed Matthew Travis as the body’s first CEO. Mr. Travis, a former CISA Deputy Director, will assume the role effective April 1, 2021. In his capacity as CEO, Mr. Travis will oversee the body’s daily operations and management to support the goals and objectives of the Department of Defense.
Board Chair Karlton Johnson confirmed they were thrilled with the appointment, which resulted from a nationwide search for a suitable candidate. He confirmed that Mr. Travis was well-versed with the Federal government and cybersecurity and would be instrumental in quickly ramping up the body’s operations.
In his previous role, Mr. Travis was the first Deputy Director of the Cybersecurity & Infrastructure Security Agency (CISA). He oversaw the daily operations of the leading civilian cybersecurity agency with a $ 2 billion budget and 2,000 employees. He was instrumental in designing and leading the agency’s internal transformation after its creation in 2018.
Prior to joining CISA, Mr. Travis was homeland security vice president at Cadmus, a professional firm providing energy and environmental services. He co-founded Obsidian Analysis, a startup security consultancy that Cadmus acquired in 2016. He’s a former naval officer who served on USS Carr and a White House Liaison to the Secretary of the Navy. Mr. Travis graduated from the University of Notre Dame and holds a Master’s degree from Georgetown University.
Pentagon Approves CMMC Pilots for Release in 2022
A DoD spokeswoman has confirmed that Pentagon will start soliciting contract bids with cybersecurity certification requirements. The department is expected to roll out up to 15 pilot contract solicitations in the summer.
The Cybersecurity Maturity Model Certification program’s delayed release is to allow the Office of Undersecretary of Defense for Acquisition and Sustainment to incorporate the CMMC language into contracts. Currently, the office is working with various agencies and services to determine the best way to include the clauses.
The Defense Federal Acquisition Regulation Supplement (DFARS) 252.204.7021 clause indicates that a contractor complies with the CMMC programs. All DoD contract solicitations until September 2025 will have the CMMC requirement.
While it’s not immediately clear which services and agencies will pioneer the contracts, there are two programs under review. The Air Force Broadband Global Area Net and Army Program Main Operating Base — Special Purpose Processing Node are earmarked for the rollout. Most of the pilot contracts scheduled for release in 2021 were pushed to 2022 due to various unexpected issues.
Some services and agencies are releasing or emending their RFPs to include the DFARS clause, but the solicitations are yet to be approved by OUSD (A&S). The RFPs also don’t specify the maturity levels required by primes and their subcontractors.
The DoD spokeswoman said the CMMC requirements are set to become a staple for all DoD contracting. DoD contractors will be required to include the compliance certificates even if the contract doesn’t explicitly state it as a requirement.
New Names for Certified Training and Assessors
In a sweeping move to eliminate rogue organizations, Professionals and Assessors will now have new names. Cmmca reveals they will be known as Certified CMMC PROFESSIONALS (CCP) and Certified CMMC ASSESSORS (CCA). The move is driven by the need for copyright titles to prevent rogue organizations from offering fake training or administering exams.
Licensed Publishing Partners (LPPs) is awaiting the final version of training models and objectives from DoD to release the final CCP curriculum. The curriculum is expected to be a thick book that covers the topic comprehensively.
One of the bottlenecks that are currently being addressed is the training period. Licensed Training Providers (LTPs) currently indicate that trainees have only four months to go through the entire training module. It implies that your application is likely to become invalid if you don’t make this deadline.
There’s speculation that LTPs are yet to get the green light to commence with the training until they can accommodate thousands of students at a go. It’ll cost $200 to undergo the four-month-long training program. The fee covers training, exams, and approval.
Speak to us today and we’ll give you more updates.
