The Contracting Education Academy

Contracting Academy Logo
You are here: Home / Archives for C3PAO

By

CMMC regulations on the way despite pandemic

The Defense Department’s new high-profile cybersecurity regulations are on schedule for implementation this year despite potential setbacks from the COVID-19 pandemic.

Katie Arrington, chief information security officer at the office of the undersecretary of defense for acquisition and sustainment, said the Pentagon will begin rolling out the Cybersecurity Maturity Model Certification version 1.0 rules this year.

The requirements are part of the Defense Department’s push to protect industrial base networks and controlled unclassified information from cyber­attacks. The CMMC rules will require contractors to be certified by third-party auditors, which will ensure that companies are adhering to certain standards. Organizations will be required to meet different levels of security requirements depending on the type of work they are doing, with level 1 being the lightest and level 5 the most stringent.

Acquisition officials unveiled their roadmap for implementation in January, before the COVID-19 pandemic roiled U.S. society and industry. The plans included releasing solicitations with CMMC requirements baked in for pathfinder programs this year.

“We are on track to do that,” Arrington said during a Project Spectrum webinar in May. “We’re still on target to release some initial [requests for information] in June. … Stay tuned, but the work hasn’t stopped and we’re still doing our absolute best to stay on track.”  Project Spectrum is intended to help small businesses improve their cybersecurity and is supported by the Defense Department’s Office of Small Business Programs.

Keep reading this article at: https://www.nationaldefensemagazine.org/articles/2020/6/22/cmmc-regulations-on-the-way-despite-pandemic

By

CMMC update: Details on certification infrastructure and COTS products

The framework for the DoD’s Cybersecurity Maturity Model Certification (CMMC) process continues to move forward.

Here’s an update on what’s currently happening with the CMMC that includes a few more details the DoD and the independent CMMC Accreditation Body have recently released about the nuts and bolts of the certification process.

As explored in Koprince Law’s prior posts (such as this one), the CMMC standards were put in place to protect Controlled Unclassified Information held by defense contractors to reduce loss of data and “risk to national security.” The standards will require a third-party audit of all defense contractors and will be proportional to the magnitude of the contract and what data the contractor is handling for the DoD.

CMMC Accreditation Body and C3PAOs

DoD’s partners have been hard at work on fleshing out the details of the certification process.  The CMMC Accreditation Body (or CMMC-AB) is a non-profit, independent organization that will accredit CMMC Third Party Assessment Organizations (C3PAOs) and the assessors themselves.  This means the CMMC-AB is not part of the government, although it operates under an agreement with the DoD.  The C3PAOs are the organizations that will help “train the trainers”–meaning they will provide skills to and assist the assessors, but the CMMC-AB will actually license the assessors. A C3PAO must be certified by the CMMC AB and then the C3PAO will train and monitor the CMMC assessors who provide the certifications.

The CMMC AB is taking steps to carry out its goals. The training program for CMMC assessors has not started yet and there is no timeline on the AB’s website. As a consequence, no assessors have been licensed yet.

However, as part of its mission, the AB is conducting market research to develop “a scalable and extensive partner-centric training and educational model to effectively equip professionals, students, and other stakeholders within the CMMC ecosystem.” The organization will provide training content and providers for certification.  The AB is also doing market research for an entity to develop a CMMC certification exam.

Keep reading this article at: https://smallgovcon.com/statutes-and-regulations/cmmc-update-details-on-certification-infrastructure-and-cots-products

By

U.S. allies considering adopting Pentagon’s CMMC cybersecurity standards

Foreign partners are considering adopting new cybersecurity standards that industry must eventually adhere to if they want to do business with the Pentagon, the Defense Department’s top weapons buyer said recently.

Cybersecurity Maturity Model Certification version 1.0, or CMMC, was released in January. The aim of the initiative is to prod the defense industrial base to better protect its networks and controlled unclassified information against cyberattacks and theft by competitors such as China.  The lower tier of the supply chain is of particular concern to Pentagon officials.

The specific standards that must be met will depend on the program and work that a company will be doing.  The level 1 standards will be the least demanding and level 5 the most burdensome.

Third-party assessors, known as C3PAOs, will be trained and approved by a new accreditation body.  They will have to certify that a company has met the CMMC standards before it can win contracts.

The new model will be phased in over the next five years to give contractors time to adjust.  By fiscal year 2026, all new Defense Department contracts will contain CMMC requirements that companies must meet to win the award.

Now, foreign nations are considering following in the Pentagon’s footsteps, Undersecretary of Defense for Acquisition and Sustainment Ellen Lord said at the annual McAleese & Associates defense programs conference in Washington, D.C.

Keep reading this article at: https://www.nationaldefensemagazine.org/articles/2020/3/4/us-allies-considering-adopting-pentagons-new-cybersecurity-standards-for-industry

Contracting Academy Logo
75 Fifth Street, NW, Suite 300
Atlanta, GA 30308
info@ContractingAcademy.gatech.edu
Phone: 404-894-6109
Fax: 404-410-6885

RSS Twitter