DOD Official Confident in Cybersecurity Certification Body’s Business Model

DOD Official Confident in Cybersecurity Certification Body’s Business Model

The volunteer accreditation body that will handle the Defense Department’s cybersecurity certification effort for contractors will be able to support itself financially, according to the official leading the Cybersecurity Maturity Model Certification program.


Last month funding for the various activities of the volunteer group, called the CMMC Accreditation Body, or AB, became a bigger part of policy discussions after it floated an idea of offering “sponsorships” in exchange for hundreds of thousands of dollars. 


Arrington, chief information security officer for DOD’s acquisition office, described it as an admirable but misguided effort due to the potential conflict of interests. Critics—including those from the tech industry and legal community—have called for the department to put more resources toward the program.  


“They’ve shared their business plan and revenue models with the department,” Arrington said. “They have figured out a way to make it a sustaining. They've done the lord's work in my eyes.”


The CMMC program, detailed in a Sept. 30 interim rule, will take effect on Dec. 1. It will require Defense contractors to pass third-party audits of their cybersecurity before they can do business with the department. The current system relies on entities within the defense industrial base simply declaring that they’ve implemented appropriate controls, as outlined by the National Institute of Standards and Technology. 


DOD is accepting public comments on the interim rule through November and will consider those in issuing a final rule, which Arrington said can be expected to drop in January or February of next year. 


Arrington reacted to concerns about the AB’s finances Wednesday at CyberCon 2020, an event hosted ..

Support the originator by clicking the read the rest link below.