The Defense Department’s Cybersecurity Maturity Model Certification initiative could have the opposite of its desired effect and create security risks, major companies said in a letter to top Pentagon officials Friday seeking clarification on a number of issues.
“We are concerned that current plans for implementing CMMC lack sufficient clarity and predictability in key areas, and as a result may unnecessarily generate confusion, delay and associated costs,” reads the letter to Ellen Lord, under secretary of Defense for acquisition and sustainment, and Katie Arrington, the chief information security officer for the acquisitions office. “These challenges could lead to the DIB being even less secure, if left unaddressed.”
More than 100 companies are represented in the letter by the Internet Association, BSA | The Software Alliance, The Cybersecurity Coalition, the Information Technology Industry Council, CompTIA and the Alliance for Digital Innovation.
Pentagon officials are launching the CMMC in an attempt to ensure contractors within the Defense Industrial Base are implementing appropriate cybersecurity controls amid concerns foreign adversaries such as China are hacking their systems to steal valuable intellectual property.
Defense contractors are currently self attesting their adherence to controls such as those laid out in National Institute of Standards and Technology Special Publication 800-171. The CMMC would require independent third party auditors validate companies’ compliance before they can do business with the DOD.
Defense officials say the CMMC requirements will be added to the Defense Federal Acquisition Regulation Supplement as an update to rule 252.204.7012 and will be open for public comment in the spring.
But industry isn’t waiting to weigh in.
Pentagon officials say they are moving slo ..
Support the originator by clicking the read the rest link below.
