The Contracting Education Academy

Contracting Academy Logo
You are here: Home / Archives for supply chain security

By

Defense contractor certification body says maintenance of companies’ cybersecurity posture is within its role

The accreditation body overseeing the Defense Department’s cybersecurity certification for prospective contractors is also authorized to provide certified companies with cybersecurity services, according to members of the group’s board of directors. 

“A continuous monitoring capability could provide benefits to organizations in the defense supply chain by increasing their awareness of changes to their current cybersecurity posture,” Mark Berman, chairman of the board’s communications committee told Nextgov. “This initiative is a potential avenue where we can provide value add to enhance and maintain the security posture.”

Berman was responding to comments from observers who say an April 22 request for proposal the accreditation board issued for a “continuous monitoring solution” marks a departure from the training and certification functions the group is expected to perform.

The Pentagon’s Cybersecurity Maturity Model Certification program is scheduled to take effect this fall following a change to defense federal acquisition regulations. Companies will have to attain third-party certification of their cybersecurity practices if they want to do business with the department. Defense contractors currently state whether they adhere to standards such as those outlined by the National Institute of Standards and Technology without any outside entity verifying their claims.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2020/05/defense-contractor-certification-body-says-maintenance-companies-cybersecurity-posture-within-its-role/165131/

By

DoD sees CMMC as new way to monitor supply chain, spot shell companies

The Defense Department wants to implement its much-discussed Cybersecurity Maturity Model Certification program mainly to ensure every single one of its vendors is undertaking minimum levels of commonly-understood cybersecurity practices so it can protect its supply chain.

But Defense officials increasingly see CMMC as a way to monitor aspects of that supply chain that aren’t strictly about cybersecurity.

DoD expects tens of thousands of its contractors to earn a CMMC certification over the next five years. But to get one — even at the most rudimentary Level One of CMMC — each company will need an in-person visit from a third-party assessor. Those visits are primarily so that auditors can verify companies have actually implemented the security practices required for their level of certification, since no self-attestations will be allowed.

But there’s another reason DoD also wants a set of human eyes on each CMMC applicant: the department wants to make sure each firm that’s certified is actually a real company with real employees.

Keep reading this article at: https://federalnewsnetwork.com/defense-main/2020/04/dod-sees-cmmc-as-new-way-to-monitor-supply-chain-spot-shell-companies/

By

Pentagon’s cybersecurity certification plan includes continuously monitoring contractors

The accreditation body overseeing the Defense Department’s Cybersecurity Maturity Model Certification program — the CMMC-AB — issued a request for proposal that provides insight into how the group plans to keep track of contractors outside of conducting physical audits.

The CMMC will end the DoD’s practice of allowing contractors to “self-certify” their cybersecurity practices. Before the end of the year, the department intends to require companies doing business with the DoD to gain a certificate from third-party auditors that will be valid for up to three years.

“As part of the CMMC-AB’s efforts to mitigate risks posed to the country through sharing of sensitive information with DoD supply chain partners, a continuous monitoring solution will help fill in the gaps between assessments scheduled for once every three years,” the RFP reads. “The CMMC-AB is issuing this request for proposal to help us identify appropriate partners in our continuous monitoring solution.”

The CMMC-AB posted the RFP to its LinkedIn page with a May 1 deadline for responses.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2020/04/pentagons-cybersecurity-certification-plan-includes-continuously-monitoring-contractors/164821/

By

CMMC standards for non-defense contractors could be coming

The Department of Defense‘s push to secure its leaky supply chain from cyberattacks might “rapidly” become a standard for civilian agencies too.

Katie Arrington, the Pentagon’s CISO for acquisition and sustainment, said Thursday that she has met with Chris Krebs — the head of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) — to discuss the DoD’s new Cybersecurity Maturity Model Certification (CMMC) and how it could translate eventually to civilian, non-defense federal contractors.

Arrington was said she believes CMMC “will become a federal standard for the whole of government rapidly.” But, a CISA official was more cautious about amplifying CMMC beyond its defense acquisition purposes, saying “civilian agencies operate under separate acquisition authorities and CMMC is a DoD-specific program.”

“CISA is certainly following the development of CMMC with great interest and it’s likely that civilian agencies will naturally benefit from CMMC implementation,” the official told FedScoop. “Due to that overlap, we aim to harmonize our cybersecurity approaches as much as possible, including on directives.”

Keep reading this article at: https://www.fedscoop.com/cmmc-federal-standards-for-acqusition/

By

Industry on pins and needles as DoD and accreditation body work to finalize CMMC agreement

The Defense Department is one small step away from officially getting the Cybersecurity Maturity Model Certification (CMMC) off the starting blocks.

Ellen Lord, the undersecretary of Defense for Acquisition and Sustainment, is ready to sign off on the memorandum of understanding with the CMMC accreditation body that would jumpstart the training of third-party assessment organizations.

Katie Arrington, the chief information security officer for acquisition at DoD, said the MOU is through the clearance process and is just awaiting Lord’s signature.

Arrington, speaking at the Washington Technology CMMC event in McLean, Virginia on March 13, said once the MOU is signed, the six-month push to begin putting CMMC standards in procurements officially will begin.

“The accreditation board, the Johns Hopkins University Applied Physics Laboratory, Carnegie Mellon University and DoD are going through simulations of training, working through the kinks,” she said. “The first session of classes will actually be a lot of the proof in the pudding, and DoD will be there to help through this. This is new so we want to make sure we get it right.”

Keep reading this article at: https://federalnewsnetwork.com/reporters-notebook-jason-miller/2020/03/industry-on-pins-and-needles-as-dod-accreditation-body-to-finalize-cmmc-agreement/

Contracting Academy Logo
75 Fifth Street, NW, Suite 300
Atlanta, GA 30308
info@ContractingAcademy.gatech.edu
Phone: 404-894-6109
Fax: 404-410-6885

RSS Twitter