The leadership of a volunteer private-sector group responsible for implementing the Defense Department’s Cybersecurity Maturity Model Certification program said it’s working to address conflict-of-interest issues to allow fair competition within the defense industrial base and among companies that want to advise them on meeting program requirements.
The DOD developed the CMMC to ensure contractors follow cybersecurity guidelines and to stop intellectual property theft by adversaries like China. Officials say the current practice of allowing contractors to simply pledge their adherence to National Institute of Standards and Technology practices has not been reliable. The CMMC program instead will institute a system of independent third-party audits, which all contractors will eventually have to undergo in order to serve the department.
On April 8, Katie Arrington, DOD’s CMMC lead, said a final rule on the requirements will be ready in about a month.
But implementation of the program so far, which is being headed up by the volunteer group that has entered a no-cost contract with the DOD as the CMMC Accreditation Body or CMMC AB, has been controversial. Both large and small contractors are worried about whether they will be treated fairly for a variety of reasons, according to a recent survey and interviews with contractors.
The DOD has said CMMC certification will cost contractors about $3,000 on the lower levels and prospective auditors have lined up to be at the receiving end. There’s also a host of consultants hoping to make money off the process by advising companies on what they need to do to prepare for their audits so they don’t fail them and lose an award.
The CMMC-AB, wh ..