A sweeping plan to conduct independent third-party cybersecurity audits of prospective Defense Department contractors’ management of sensitive information will be subject to a formal rulemaking process, but the department and the nonprofit organization being established to train and approve certifiers are still moving at a quick clip.
“Because we’re doing rulemaking, this isn’t going to roll out as hard and fast as we thought,” said a government official delivering a briefing on Defense’s Cybersecurity Maturity Model Certification (CMMC) program at a recent meeting of the Software Supply Chain Assurance forum.
Quarterly meetings of the forum — co-led by Defense, the General Services Administration, the National Institute of Standards and Technology, and Homeland Security Department—are attended by public and private sector representatives and conducted under the Chatham House Rule to encourage a free exchange of ideas.
The official said Defense expects the CMMC requirements to be issued as a proposed rule this fall, but regardless of the related public comment process, officials still plan to include the rules in requests for proposals starting in the third quarter.
“In June, we’re going to give you an [request for information] that says these procurements are targeted to have CMMC requirements,” the official also noted.