The Contracting Education Academy

Contracting Academy Logo
You are here: Home / Archives for CMMC accreditation

By

DoD to include cybersecurity requirements in RFPs starting in November

Defense contractors should expect to see new Cybersecurity Maturity Model Certification (CMMC) version 1.0 requirements in requests for proposals released in November, according to Katie Arrington, chief information security officer in the office of the undersecretary of defense for acquisition and sustainment.

The requirements are a reflection of the Pentagon’s push to protect defense industrial base networks and controlled unclassified information from cyber attacks. The CMMC rules will require contractors to be certified by third-party auditors, which will ensure that companies are adhering to certain standards. Organizations will be required to meet different levels of security, with level one being the lowest and level five the most stringent.

“We understand this is a big cultural shift and we want to ensure that we’re doing everything we can to bring our small business partners right along with us,” she said at the annual Special Operations Forces Industry Conference, which is being held virtually this year due to COVID-19 safety concerns. “We are working on different plans and strategies to help.”

For instance, contractors bidding on a program may not need to have their CMMC certifications until the time of contract award, she noted at the vSOFIC event, which is hosted by the National Defense Industrial Association on behalf of U.S. Special Operations Command.

Keep reading this article at: https://www.nationaldefensemagazine.org/articles/2020/5/11/new-cmmc-rules-for-defense-contractors-to-come-in-november

By

Defense contractor certification body says maintenance of companies’ cybersecurity posture is within its role

The accreditation body overseeing the Defense Department’s cybersecurity certification for prospective contractors is also authorized to provide certified companies with cybersecurity services, according to members of the group’s board of directors. 

“A continuous monitoring capability could provide benefits to organizations in the defense supply chain by increasing their awareness of changes to their current cybersecurity posture,” Mark Berman, chairman of the board’s communications committee told Nextgov. “This initiative is a potential avenue where we can provide value add to enhance and maintain the security posture.”

Berman was responding to comments from observers who say an April 22 request for proposal the accreditation board issued for a “continuous monitoring solution” marks a departure from the training and certification functions the group is expected to perform.

The Pentagon’s Cybersecurity Maturity Model Certification program is scheduled to take effect this fall following a change to defense federal acquisition regulations. Companies will have to attain third-party certification of their cybersecurity practices if they want to do business with the department. Defense contractors currently state whether they adhere to standards such as those outlined by the National Institute of Standards and Technology without any outside entity verifying their claims.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2020/05/defense-contractor-certification-body-says-maintenance-companies-cybersecurity-posture-within-its-role/165131/

By

DoD sees CMMC as new way to monitor supply chain, spot shell companies

The Defense Department wants to implement its much-discussed Cybersecurity Maturity Model Certification program mainly to ensure every single one of its vendors is undertaking minimum levels of commonly-understood cybersecurity practices so it can protect its supply chain.

But Defense officials increasingly see CMMC as a way to monitor aspects of that supply chain that aren’t strictly about cybersecurity.

DoD expects tens of thousands of its contractors to earn a CMMC certification over the next five years. But to get one — even at the most rudimentary Level One of CMMC — each company will need an in-person visit from a third-party assessor. Those visits are primarily so that auditors can verify companies have actually implemented the security practices required for their level of certification, since no self-attestations will be allowed.

But there’s another reason DoD also wants a set of human eyes on each CMMC applicant: the department wants to make sure each firm that’s certified is actually a real company with real employees.

Keep reading this article at: https://federalnewsnetwork.com/defense-main/2020/04/dod-sees-cmmc-as-new-way-to-monitor-supply-chain-spot-shell-companies/

By

Pentagon’s cybersecurity certification plan includes continuously monitoring contractors

The accreditation body overseeing the Defense Department’s Cybersecurity Maturity Model Certification program — the CMMC-AB — issued a request for proposal that provides insight into how the group plans to keep track of contractors outside of conducting physical audits.

The CMMC will end the DoD’s practice of allowing contractors to “self-certify” their cybersecurity practices. Before the end of the year, the department intends to require companies doing business with the DoD to gain a certificate from third-party auditors that will be valid for up to three years.

“As part of the CMMC-AB’s efforts to mitigate risks posed to the country through sharing of sensitive information with DoD supply chain partners, a continuous monitoring solution will help fill in the gaps between assessments scheduled for once every three years,” the RFP reads. “The CMMC-AB is issuing this request for proposal to help us identify appropriate partners in our continuous monitoring solution.”

The CMMC-AB posted the RFP to its LinkedIn page with a May 1 deadline for responses.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2020/04/pentagons-cybersecurity-certification-plan-includes-continuously-monitoring-contractors/164821/

By

CMMC standards for non-defense contractors could be coming

The Department of Defense‘s push to secure its leaky supply chain from cyberattacks might “rapidly” become a standard for civilian agencies too.

Katie Arrington, the Pentagon’s CISO for acquisition and sustainment, said Thursday that she has met with Chris Krebs — the head of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) — to discuss the DoD’s new Cybersecurity Maturity Model Certification (CMMC) and how it could translate eventually to civilian, non-defense federal contractors.

Arrington was said she believes CMMC “will become a federal standard for the whole of government rapidly.” But, a CISA official was more cautious about amplifying CMMC beyond its defense acquisition purposes, saying “civilian agencies operate under separate acquisition authorities and CMMC is a DoD-specific program.”

“CISA is certainly following the development of CMMC with great interest and it’s likely that civilian agencies will naturally benefit from CMMC implementation,” the official told FedScoop. “Due to that overlap, we aim to harmonize our cybersecurity approaches as much as possible, including on directives.”

Keep reading this article at: https://www.fedscoop.com/cmmc-federal-standards-for-acqusition/

Contracting Academy Logo
75 Fifth Street, NW, Suite 300
Atlanta, GA 30308
info@ContractingAcademy.gatech.edu
Phone: 404-894-6109
Fax: 404-410-6885

RSS Twitter