During an event where Defense Department officials looked to dispel myths about a plan to certify the cybersecurity of its contractors through third-party audits, the department’s head of acquisitions spoke to why the rollout of the program isn’t expected to be done till 2026.
“We are doing this with what I would call irreversible momentum,” Undersecretary of Defense for Acquisition and Sustainment Ellen Lord said, answering questions from reporters.
Some stakeholders have said the plan to subject companies in the defense industrial base to reviews by independent auditors—instead of allowing them to self-attest to security practices—is moving at break-neck speed. But Defense officials were pressed at the event to explain why it would take such a long time to fully implement the program.
“We’re being realistic in terms of making sure we have pathfinder projects and then we implement it and learn, get the feedback, and go on,” Lord said.
While the department plans to note CMMC requirements in requests for information starting late spring, specific security levels—ranging 1 through 5, described in a final version 1.0 of the model—won’t be included in requests for proposals till the fall, when it is expected the related rule will be finalized in Defense Federal Acquisition Regulations.
Spring is also when auditors will start attending classes and CMMC training will be available on the Defense Acquisition University website, officials said.
Keep reading this article at: https://www.nextgov.com/cybersecurity/2020/01/pentagon-announces-final-version-cyber-standards-contractors/162807/