The Defense Department and the accreditation body charged with implementing its Cybersecurity Maturity Model Certification aren’t clear on a plan to deal with contractors that have a significant portion of their supply chains based in China, according to a DOD official.
The department launched the CMMC to ensure the contractors it buys goods and services from adhere to specific cybersecurity requirements that must be verified by an independent third-party auditor. As officials develop the program, they’re tackling the hot-button issue of suppliers’ country of origin.
On Wednesday, the Government Accountability Office released its annual review of DOD’s acquisitions practices, noting “inconsistent implementation of leading software practices and cybersecurity measures among [major defense acquisition program]s.”
“DOD acquisition programs are more software-driven than ever before,” the comptroller general wrote in an introductory letter in the report to Congress. “Timely development and delivery of software capability is now often paramount to a program’s success. Nonetheless, we found that software development continues to be a stumbling block in many programs, as DOD often departs from the proven practices on which commercial industry relies. These challenges also occur in an environment where DOD faces global cybersecurity threats to its weapon and IT systems, but has made only limited progress to date in identifying and eliminating its vulnerabilities.”
The Defense Department acknowledged these shortcomings in a letter appending the report. CMMC is supposed to be part of a cultural shift to address the inclusion of cybersecurity at every step in the process, Katie Arrington, chief information security officer for the defense acquisitions office has said, noting policy updates the department has made to its acquisitions framework.
As all eyes are on the program, some st ..
Support the originator by clicking the read the rest link below.
