The accreditation body overseeing the Defense Department’s Cybersecurity Maturity Model Certification program—the CMMC-AB—issued a request for proposal that provides insight into how the group plans to keep track of contractors outside of conducting physical audits.
The CMMC will end the DOD’s practice of allowing contractors to “self-certify” their cybersecurity practices. Before the end of the year, the department intends to require companies doing business with the DOD to gain a certificate from third-party auditors that will be valid for up to three years.
“As part of the CMMC-AB’s efforts to mitigate risks posed to the country through sharing of sensitive information with DOD supply chain partners, a continuous monitoring solution will help fill in the gaps between assessments scheduled for once every three years,” the RFP reads. “The CMMC-AB is issuing this request for proposal to help us identify appropriate partners in our continuous monitoring solution.”
The CMMC-AB posted the RFP to its LinkedIn page earlier today with a May 1 deadline for responses.
Katie Arrington, chief information security officer for the Defense acquisition office, who has embraced the alternative title “mother of the CMMC,” mentioned the RFP during a webinar today on the DOD’s efforts to help small businesses amid the coronavirus pandemic.
She was responding to a question about how the coronavirus would affect the timeline for implementing the CMMC.
Arrington has previously said the program would be unaffected, noting that the training for assessors would largely take place online anyway.
But last week during a Bloomberg Government webinar she conceded the virus is “ pentagon cybersecurity certification includes continuously monitoring contractors
