DOD Asks Contractors to Perform CMMC Self-Assessments for Now
The Department of Defense has asked defense contractors to meet the Cybersecurity Maturity Model Certification requirements on their own while there are still no officially accredited assessors.
Stacy Bostjanick, CMMC director within the Office of the Under Secretary of Defense for Acquisition and Sustainment, said DOD will have accredited a handful of assessor companies by early summer, FedScoop reported Wednesday.
Bostjanick said more established companies should be fit enough to enhance their cybersecurity measures on their own using the public CMMC model as guidance.
CMMC third-party assessor organizations will be authorized to connect with organizations seeking certification on the CMMC Accreditation Body marketplace.
The CMMC-AB has already designated some companies as registered provider organizations, authorizing them to provide advice, consulting and recommendations to companies seeking to comply with CMMC requirements.
RPOs only serve as “implementers” and consultants, the CMMC-AB said, but are not authorized to conduct certified assessments.
Bostjanick urged defense contractors to keep an eye on the official list of assessors and consultants because there are companies that oversell their ability to provide CMMC services.
She said such companies take advantage of the uncertainty in the accreditation process and in deadlines to profit off of the program.
The Defense Department began implementing the CMMC program in December 2020, requiring all defense contractors to ensure that their cybersecurity competency is up to standards.
The Pentagon plans to include CMMC requirements in seven pilot contracts by the end of 2021, FedScoop reported previously.
The pilot contracts will require their holders to meet at least CMMC Level 3 certification, which requires the creation of a plan demonstrating the management of activities for practice implementation.
Tags: C3PAO CMMC CMMC-AB cybersecurity Department of Defense DoD FedScoop RPO Stacy Bostjanick