DOD Conducts Internal Review of CMMC

The Department of Defense said its Cybersecurity Maturity Model Certification program is undergoing a routine “internal review.”

According to DOD spokesperson Jessica Maxwell, the department is determining whether the program is accomplishing its stated goals while not creating unnecessary barriers for defense contractors, FedScoop reported Tuesday.

CMMC is the Pentagon’s metric for determining contractors’ ability to protect themselves and their work with the department from cyber threats. 

The program’s standards require companies to hire third-party assessors to evaluate their networks based on five tiers of controls.

While Maxwell did not provide details on the ongoing review, she said such a process is routine for high-impact programs like CMMC.

Other agencies, including the General Services Administration and the Department of Homeland Security, have begun implementing CMMC-like rules for some of their contracts.

The GSA included CMMC cybersecurity standards in its $50 billion Streamlined Technology Application Resource for Services III government-wide acquisition contract in early 2020. The move preceded the DOD’s launch of the CMMC program.

Keith Nakasone, GSA’s deputy assistant commissioner for acquisition, has also announced plans to include specific CMMC language at the order level.

GSA reportedly also plans to push for requirements related to zero trust security in response to trends in data transfer technologies.

In October 2020, a top DHS official said the department was exploring ways to use the CMMC standards in its own supply chain.

Thresa Lang, a principal DHS cyber adviser and a past Potomac Officers Club event speaker, said CMMC-based standards could provide supply chain guidance and governance for all DHS law enforcement, intelligence national security and humanitarian response agencies.

Sign Up Now! Potomac Officers Club provides you with Daily Updates and News Briefings about Cybersecurity

Join Us Now