CMMC guidance
DOD Issues Assessment Guides for Complying With First Two CMMC Levels
The Department of Defense has released assessment guides for fulfilling level one and two requirements under the rebooted Cybersecurity Maturity Model Certification program.
The level one guide calls for defense contractors to conduct a self-assessment of their networks, which, according to the head of a certified assessment organization, is redundant as it closely resembles a guide from the National Institute for Standards and Technology Special Publication 800-171a.
Johann Dettweiler, director of operations at TalaTek, considers it a waste of resources and effort on the DOD’s part to rebrand an already existing framework, FedScoop reported Tuesday.
NIST SP 800-171a provides federal and nonfederal organizations with procedures for assessing security requirements for controlled unclassified information. Just like the DOD guide, security assessments under the NIST publication can be conducted as self-assessments.
Dettweiler also questioned whether contractors without a security background would be qualified to conduct the self-assessment for CMMC level one.
“It’s too difficult for someone not well versed in security to determine their boundary, implement the controls at the component level for that boundary, and then perform an honest self-assessment,” he said.
The majority of contractors under level two will be cleared to conduct self assessments but some will need to complete a third-party assessment as certain contracts require that they show their ability to meet stringent security controls.
The goal is to show the contractors’ maturity and not just compliance with the new cybersecurity standards.
Category: Cybersecurity