The Contracting Education Academy

Contracting Academy Logo
You are here: Home / Archives for CMMC AB

By

What DoD’s cyber certification program reveals about info-sharing challenges

As the new regime takes effect, the tech industry’s lead trade association would rather higher level certifications be done by the department than independent third parties.

The Information Technology Industry Council is arguing that the foundation of U.S. cybersecurity policy — information sharing between organizations — presents a security threat that is too costly for many to address in response to a rule implementing the Pentagon’s Cybersecurity Maturity Model Certification Program.

The CMMC program was designed to change the Defense Department’s practice of having contractors simply attest to their own level of cybersecurity and institute a system of third-party auditors to validate required practices are in place.

The department’s Defense Contract Management Agency currently conducts audits of contractors’ cybersecurity through Defense Industrial Base Cybersecurity Assessment Center, or DIBCAC, assessments.  But Katie Arrington, the DoD official heading up the CMMC program, said a new ecosystem of private third-party assessors is necessary to scale such reviews across all of the approximately 300,000 companies the department relies on.

Organizations hoping to work with the Defense Department would be required to obtain certification through an accreditation body that entered into a no-cost contract with the Defense Department on Nov. 25.  The currently all-volunteer organization will be funded through fees it receives from assessors it trains to conduct audits and individuals it approves as qualified to consult with prospective contractors on CMMC requirements.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2020/12/what-dods-cyber-certification-program-reveals-about-info-sharing-challenges/170400/

By

Pentagon ready to name first 15 ‘pathfinder’ contracts for CMMC

It’s a significant week for the Defense Department’s Cybersecurity Maturity Model Certification program: New rules that serve as a precursor to the full CMMC implementation took effect on Tuesday, and an announcement of the first 15 contracts that will serve as “pathfinders” for the new model are imminent.

That initial set of procurements would represent the first real-world use of CMMC, the program the department has been building for the past year-and-a-half to shore up the cybersecurity of its industrial base.  So far, DoD acquisition officials have only applied the model to contracts in non-punitive tabletop exercises, and without publicly identifying the contracts involved.

The department expects to name the first 15 pathfinders within “the next few days,” Katie Arrington, the chief information security officer in DoD’s acquisition and sustainment office told an industry conference.  The announcement has been highly-anticipated as the defense industry waits to see how many vendors could be impacted by the initial pathfinder process.

Meanwhile, earlier this week, two precursors to the full CMMC rollout took effect — part of a sweeping rule change DoD promulgated in September to implement the program.  Going forward, almost all vendors bidding on new contracts will have to log into a web portal and attest to which specific security controls in NIST Special Publication 800-171 they’re currently complying with.

Keep reading this article at: https://federalnewsnetwork.com/defense-main/2020/12/pentagon-ready-to-name-first-15-pathfinder-contracts-for-cmmc/

By

DoD contractors: Will you be ready for CMMC on Nov. 30?

Responding to fundamental concerns about the cybersecurity of its private sector supply chain, the Department of Defense (DoD) will begin requiring at the end of this month all of its contractors to comply with a complex and demanding new cybersecurity framework.

Starting on November 30, 2020, contractors working for the DoD will need to comply with the long-anticipated Cybersecurity Maturity Model Certification (CMMC).  This mandatory requirement will be a go/no-go criterion for eligibility for many DoD contracts.

Issued on September 29, 2020 the interim rule, amends the Defense Federal Acquisition Regulation Supplement (DFARS) to establish the DoD Assessment Methodology for contractor cybersecurity certification and implement the CMMC program.

What is the DoD Assessment Methodology?

The DoD Assessment Methodology requirement was developed to address perceived flaws in the self-assessment process.  Currently, under DFARS clause 252.204-7012, contractors must self-certify their compliance with the cybersecurity requirements of NIST SP 800-171 to “covered contractor information systems,” which are generally those that store, process, generate, transmit or access “covered defense information.” Through the interim rule, the DoD Assessment Methodology rates contractor cybersecurity levels as Basic, Medium or High based on the contractor’s implementation of the 110 controls identified under the National Institutes of Standards and Technology (NIST) Special Publication (SP) 800-171.

Keep reading this article at: https://www.mondaq.com/unitedstates/security/1003266/defense-department-contractors-will-you-be-ready-for-cmmc-on-november-30

By

CMMC auditors about to wrap up training

Highly anticipated audits related to the Pentagon’s new Cybersecurity Maturity Model Certification process are inching closer, with auditors assigned to evaluate companies expected to complete their training by the end of September, according to the official spearheading the initiative.

Industry has been waiting with bated breath for the audits as part of CMMC implementation, which is meant to protect defense industrial base networks and controlled unclassified information from cyberattacks. Contractors will be required to meet different levels of security — Level 1 being the lightest and Level 5 the most stringent — depending on the type of work they are performing. The new rules will require contractors to be certified by third-party auditors to ensure that companies are adhering to certain standards.

Katie Arrington, chief information security officer in the office of the undersecretary of defense for acquisition and sustainment and the Defense Department’s point person on CMMC, said training for the first batch of auditors began Aug. 31.

“We’ll be starting to get some provisional assessors out into the marketplace very soon,” she said Sept. 2 during the Department of the Navy Gold Coast Small Business Procurement Event. The webinar was hosted by the San Diego Chapter of the National Defense Industrial Association. “Within a couple of weeks, we should have some capability out in the environment.”

Keep reading this article at: https://www.nationaldefensemagazine.org/articles/2020/9/2/cmmc-auditors-about-to-wrap-up-training

By

Changes to the CMMC Advisory Board as Congress turns up scrutiny of cyber standards

Less than two months after the Cybersecurity Maturity Model Certification (CMMC) advisory board became official, there’s already changes afoot.

Two original members of the advisory board have recently left.  John Weiler, CEO of the IT Acquisition Advisory Committee (IT-ACC), and Jim Goepel, the CEO and general counsel for Fathom Cyber LLC, are no longer listed on the main board of directors section.

Goepel left for personal reasons, while Weiler decided to work with the CMMC AB in a new way.

The change comes as the Senate and House armed services committee members turn up the heat on the CMMC by adding nine  provisions — six from the Senate — in the fiscal 2021 Defense authorization bill.

Keep reading this article at: https://federalnewsnetwork.com/reporters-notebook-jason-miller/2020/08/changes-to-the-cmmc-advisory-board-as-congress-turns-up-scrutiny-of-cyber-standards/

Contracting Academy Logo
75 Fifth Street, NW, Suite 300
Atlanta, GA 30308
info@ContractingAcademy.gatech.edu
Phone: 404-894-6109
Fax: 404-410-6885

RSS Twitter