The Contracting Education Academy

Contracting Academy Logo
You are here: Home / Archives for supply chain security

By

Pentagon’s cybersecurity certification plan includes continuously monitoring contractors

The accreditation body overseeing the Defense Department’s Cybersecurity Maturity Model Certification program — the CMMC-AB — issued a request for proposal that provides insight into how the group plans to keep track of contractors outside of conducting physical audits.

The CMMC will end the DoD’s practice of allowing contractors to “self-certify” their cybersecurity practices. Before the end of the year, the department intends to require companies doing business with the DoD to gain a certificate from third-party auditors that will be valid for up to three years.

“As part of the CMMC-AB’s efforts to mitigate risks posed to the country through sharing of sensitive information with DoD supply chain partners, a continuous monitoring solution will help fill in the gaps between assessments scheduled for once every three years,” the RFP reads. “The CMMC-AB is issuing this request for proposal to help us identify appropriate partners in our continuous monitoring solution.”

The CMMC-AB posted the RFP to its LinkedIn page with a May 1 deadline for responses.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2020/04/pentagons-cybersecurity-certification-plan-includes-continuously-monitoring-contractors/164821/

By

CMMC standards for non-defense contractors could be coming

The Department of Defense‘s push to secure its leaky supply chain from cyberattacks might “rapidly” become a standard for civilian agencies too.

Katie Arrington, the Pentagon’s CISO for acquisition and sustainment, said Thursday that she has met with Chris Krebs — the head of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) — to discuss the DoD’s new Cybersecurity Maturity Model Certification (CMMC) and how it could translate eventually to civilian, non-defense federal contractors.

Arrington was said she believes CMMC “will become a federal standard for the whole of government rapidly.” But, a CISA official was more cautious about amplifying CMMC beyond its defense acquisition purposes, saying “civilian agencies operate under separate acquisition authorities and CMMC is a DoD-specific program.”

“CISA is certainly following the development of CMMC with great interest and it’s likely that civilian agencies will naturally benefit from CMMC implementation,” the official told FedScoop. “Due to that overlap, we aim to harmonize our cybersecurity approaches as much as possible, including on directives.”

Keep reading this article at: https://www.fedscoop.com/cmmc-federal-standards-for-acqusition/

By

Industry on pins and needles as DoD and accreditation body work to finalize CMMC agreement

The Defense Department is one small step away from officially getting the Cybersecurity Maturity Model Certification (CMMC) off the starting blocks.

Ellen Lord, the undersecretary of Defense for Acquisition and Sustainment, is ready to sign off on the memorandum of understanding with the CMMC accreditation body that would jumpstart the training of third-party assessment organizations.

Katie Arrington, the chief information security officer for acquisition at DoD, said the MOU is through the clearance process and is just awaiting Lord’s signature.

Arrington, speaking at the Washington Technology CMMC event in McLean, Virginia on March 13, said once the MOU is signed, the six-month push to begin putting CMMC standards in procurements officially will begin.

“The accreditation board, the Johns Hopkins University Applied Physics Laboratory, Carnegie Mellon University and DoD are going through simulations of training, working through the kinks,” she said. “The first session of classes will actually be a lot of the proof in the pudding, and DoD will be there to help through this. This is new so we want to make sure we get it right.”

Keep reading this article at: https://federalnewsnetwork.com/reporters-notebook-jason-miller/2020/03/industry-on-pins-and-needles-as-dod-accreditation-body-to-finalize-cmmc-agreement/

By

Pentagon announces final version of cyber standards for contractors

During an event where Defense Department officials looked to dispel myths about a plan to certify the cybersecurity of its contractors through third-party audits, the department’s head of acquisitions spoke to why the rollout of the program isn’t expected to be done till 2026. 

“We are doing this with what I would call irreversible momentum,” Undersecretary of Defense for Acquisition and Sustainment Ellen Lord said, answering questions from reporters.

Some stakeholders have said the plan to subject companies in the defense industrial base to reviews by independent auditors—instead of allowing them to self-attest to security practices—is moving at break-neck speed.  But Defense officials were pressed at the event to explain why it would take such a long time to fully implement the program.

“We’re being realistic in terms of making sure we have pathfinder projects and then we implement it and learn, get the feedback, and go on,” Lord said.

While the department plans to note CMMC requirements in requests for information starting late spring, specific security levels—ranging 1 through 5, described in a final version 1.0 of the model—won’t be included in requests for proposals till the fall, when it is expected the related rule will be finalized in Defense Federal Acquisition Regulations.

Spring is also when auditors will start attending classes and CMMC training will be available on the Defense Acquisition University website, officials said.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2020/01/pentagon-announces-final-version-cyber-standards-contractors/162807/

By

Final DoD cybersecurity certification model due Friday

The Defense Department official leading the development of an ambitious plan to independently certify military contractors’ cybersecurity practices will review a final version of the plan Friday (Jan. 31, 2020) and shared key details for its implementation.

Stipulations of the Cybersecurity Maturity Model Certification (CMMC) will be written into the Defense Federal Acquisition Regulation Supplement (DFARS) as an update to rule 252.204.7012, which currently requires contractors handling information of certain sensitivity to implement security practices spelled out in National Institute of Standards and Technology (NIST) Special Publication 800-171 and to report cyber incidents within 72 hours.

The major change in the updated rule—which is expected to be open for comment in the spring—will be that contractors will no longer be permitted to self-attest their adherence to the NIST-described practices, as they are now.

The new program will also introduce five levels of tiered requirements for defense contractors. Contractors dealing with information that is not as sensitive would have to meet the “basic cyber hygiene” of level 1, versus the “good cyber hygiene” that implies compliance with the NIST 800-171 controls, or the “advanced” practices that would be required at level 5.

That risk-based approach has gotten the coming CMMC some praise, but the contracting community is on high alert with concerns ranging from the cost of certification to the details of how the audits will function through a nonprofit accreditation body.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2020/01/final-dod-cybersecurity-certification-model-due-friday/162713/

Contracting Academy Logo
75 Fifth Street, NW, Suite 300
Atlanta, GA 30308
info@ContractingAcademy.gatech.edu
Phone: 404-894-6109
Fax: 404-410-6885

RSS Twitter