A sweeping plan to conduct independent third-party cybersecurity audits of prospective Defense Department contractors’ management of sensitive information will be subject to a formal rulemaking process, but the department and the nonprofit organization being established to train and approve certifiers are still moving at a quick clip.
“Because we’re doing rulemaking, this isn’t going to roll out as hard and fast as we thought,” said a government official delivering a briefing on Defense’s Cybersecurity Maturity Model Certification program at a meeting of the Software Supply Chain Assurance forum today.
Quarterly meetings of the forum—co-led by Defense, the General Services Administration, the National Institute of Standards and Technology, and Homeland Security Department—are attended by public and private sector representatives and conducted under the Chatham House Rule to encourage a free exchange of ideas.
The official said Defense expects the CMMC requirements to be issued as a proposed rule this fall, but regardless of the related public comment process, officials still plan to include the rules in requests for proposals starting in the third quarter.
“In June, we’re going to give you an [request for information] that says these procurements are targeted to have CMMC requirements,” the official also noted.
The CMMC effort is intended to stem the loss of controlled unclassified information. Currently, defense contractors only have to self-attest their adherence to NIST special publications laying out the appropriate protections for such data.
The department intends to operationalize the coming certification program through a nonprofit accreditation body that will be tasked with training auditors, establishing the necessary infrastructure, accreditation and credentialing, and assessment operations, as laid out in a slide presentation by the official.
Companies looking to do business with the department will have t ..
Support the originator by clicking the read the rest link below.
