As the new regime takes effect, the tech industry’s lead trade association would rather higher level certifications be done by the department than independent third parties.
The Information Technology Industry Council is arguing that the foundation of U.S. cybersecurity policy — information sharing between organizations — presents a security threat that is too costly for many to address in response to a rule implementing the Pentagon’s Cybersecurity Maturity Model Certification Program.
The CMMC program was designed to change the Defense Department’s practice of having contractors simply attest to their own level of cybersecurity and institute a system of third-party auditors to validate required practices are in place.
The department’s Defense Contract Management Agency currently conducts audits of contractors’ cybersecurity through Defense Industrial Base Cybersecurity Assessment Center, or DIBCAC, assessments. But Katie Arrington, the DoD official heading up the CMMC program, said a new ecosystem of private third-party assessors is necessary to scale such reviews across all of the approximately 300,000 companies the department relies on.
Organizations hoping to work with the Defense Department would be required to obtain certification through an accreditation body that entered into a no-cost contract with the Defense Department on Nov. 25. The currently all-volunteer organization will be funded through fees it receives from assessors it trains to conduct audits and individuals it approves as qualified to consult with prospective contractors on CMMC requirements.