The Defense official in charge of rolling out the department’s Cybersecurity Maturity Model Certification program suggested it might be necessary to revise the standard to address high costs associated with validating procurements at the very top of its tiered model.
“There's a lot of discussion I think yet to be had on level four and five,” Katie Arrington, the DOD’s CMMC lead, said. “Is it all the controls in level four? Or is it a you know, à la carte that you need to be able to meet 50% of the controls in level four, to get certification? Because it's very expensive. And is there the [return on investment] on implementing all those controls? Do we need to modify the CMMC?”
Department officials realize and accept under the new rule that vendors will include the cost of the cybersecurity certification in their proposals.
Arrington briefed members of the defense contracting community Wednesday during a webinar hosted by Project Spectrum, an education and training initiative supported by the department’s Office of Small Business Programs.
The CMMC program aims to replace a system of accepting contractor testimonials about their cybersecurity posture with one where all entities within the defense industrial base have been audited by an independent third party. The requirements will vary relevant to the level of risk—one through five—they present.
Public comments are due at the end of November on an interim CMMC rule that will take effect on Dec. 1. A final rule, which will factor in those comments, can be expected by February, Arrington has said.
Under the interim rule, contractors being considered for awards after Dec.1 must have submitted a basic, self-assessment where they give themselves a ..
Support the originator by clicking the read the rest link below.
