Lead official grapples with the challenge of resourcing a federally funded research and development center to act as a gateway for the Pentagon’s certification program.
The Defense Department is on the cusp of signing a new agreement with the volunteer organization that has been training auditors for its Cybersecurity Maturity Model Certification program, according to DoD’s Katie Arrington, who is leading its implementation.
“They have come light years. We have done two provisional training classes—they’re actually in the middle of the third,” Arrington said during a webinar Tuesday hosted by NeoSystems LLC. “We in the Department of Defense, are, I think today we finalize the statement of work with them. We had a [memorandum of understanding] previously. We’ve been working on a SOW with the no-cost contract to the AB for five years plus.”
The CMMC, as described in an interim rule now up for comment, was designed to replace the current system of DoD taking contractors at their word regarding cybersecurity practices with one that would require third-party verification that such practices are up to snuff.
In March, the DOD signed an MOU with the volunteer group, which is called the CMMC Accreditation Body, or AB. Under that agreement, the AB was responsible for establishing a “CMMC standard” that would guide its certification of companies seeking to do work with the DoD, based on the department’s tiered model of cybersecurity controls.