The Defense Department and the pending nonprofit organization working to implement a new certification program for all contractors have agreed on terms for accommodating companies that have already been audited for cybersecurity and related memos are set to be signed, according to a leading official.
The Cybersecurity Maturity Model Certification, or CMMC, will replace a current system of Defense Department contractors simply pledging their adherence to cybersecurity standards issued by the National Institute of Standards and Technology. It will require companies to undergo audits by independent third parties—overseen by the Cybersecurity Maturity Model Certification Accreditation Body, or CMMC-AB, which is waiting on the Internal Revenue Service to grant it tax exemption status.
As many services are cloud-based, members of the contracting community have been eager to inherit the benefits of actions those providers might have already taken to validate the security of their systems, including through the Federal Risk and Authorization Management Program, or FedRAMP, which is controlled by the General Services Administration.
Defense officials sought to assure contractors that CMMC auditors would consider FedRAMP certifications, but no such reciprocity was mentioned in an interim CMMC rule the department made effective Nov. 30.
Speaking at an event hosted by CompTIA Tuesday, Katie Arrington, the chief information security officer for Defense acquisitions, said CMMC will officially provide reciprocity for FedRAMP audits, as well as those the DOD’s own Defense Industrial Base Cybersecurity Assessment Center has been conducting since the summer of 2019 and by the International Organization for Standardization, or ISO.
“I'm going to take any ISO 27001 and provide reciprocity,” Arrington said, referring to the foundational international information security standard. “We're giving reciprocity for the DIBCAC assessments that have already been done. And we'r ..
Support the originator by clicking the read the rest link below.
