A civilian counterpart to the Pentagon’s Cybersecurity Maturity Model Certification would need to suit the varying missions across government, according to federal deputy CIO Margie Graves.
The Defense Department is working on a new policy that will require its vendors to obtain a certification confirming the contractor’s own systems have strong enough cybersecurity to protect the department’s secrets. A civilian agency counterpart to that would look very different than what the Pentagon is developing, according to the second-ranking civilian IT official.
While the government does have a method for certifying the cybersecurity of vendors’ products — through the authority to operate, or ATO, process and the Federal Risk and Authorization Management Program, or FedRAMP — it does not have a program for assessing the security of the systems used by the vendors.
The Defense Department’s Cybersecurity Maturity Model Certification, or CMMC, looks to change that with a set of 18 “key sets of capabilities for cybersecurity,” according to the draft released in September.