As the new regime takes effect, the tech industry’s lead trade association would rather higher level certifications be done by the department than independent third parties.

The Information Technology Industry Council is arguing that the foundation of U.S. cybersecurity policy — information sharing between organizations — presents a security threat that is too costly for many to address in response to a rule implementing the Pentagon’s Cybersecurity Maturity Model Certification Program.

The CMMC program was designed to change the Defense Department’s practice of having contractors simply attest to their own level of cybersecurity and institute a system of third-party auditors to validate required practices are in place.

The department’s Defense Contract Management Agency currently conducts audits of contractors’ cybersecurity through Defense Industrial Base Cybersecurity Assessment Center, or DIBCAC, assessments.  But Katie Arrington, the DoD official heading up the CMMC program, said a new ecosystem of private third-party assessors is necessary to scale such reviews across all of the approximately 300,000 companies the department relies on.

Organizations hoping to work with the Defense Department would be required to obtain certification through an accreditation body that entered into a no-cost contract with the Defense Department on Nov. 25.  The currently all-volunteer organization will be funded through fees it receives from assessors it trains to conduct audits and individuals it approves as qualified to consult with prospective contractors on CMMC requirements.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2020/12/what-dods-cyber-certification-program-reveals-about-info-sharing-challenges/170400/

It’s a significant week for the Defense Department’s Cybersecurity Maturity Model Certification program: New rules that serve as a precursor to the full CMMC implementation took effect on Tuesday, and an announcement of the first 15 contracts that will serve as “pathfinders” for the new model are imminent.

That initial set of procurements would represent the first real-world use of CMMC, the program the department has been building for the past year-and-a-half to shore up the cybersecurity of its industrial base.  So far, DoD acquisition officials have only applied the model to contracts in non-punitive tabletop exercises, and without publicly identifying the contracts involved.

The department expects to name the first 15 pathfinders within “the next few days,” Katie Arrington, the chief information security officer in DoD’s acquisition and sustainment office told an industry conference.  The announcement has been highly-anticipated as the defense industry waits to see how many vendors could be impacted by the initial pathfinder process.

Meanwhile, earlier this week, two precursors to the full CMMC rollout took effect — part of a sweeping rule change DoD promulgated in September to implement the program.  Going forward, almost all vendors bidding on new contracts will have to log into a web portal and attest to which specific security controls in NIST Special Publication 800-171 they’re currently complying with.

Keep reading this article at: https://federalnewsnetwork.com/defense-main/2020/12/pentagon-ready-to-name-first-15-pathfinder-contracts-for-cmmc/