DOD Looking to Implement CMMC for International Vendor, Agency Official Says
The Department of Defense needs to find a way to bring foreign vendors into the Cybersecurity Maturity Model Certification program as the agency looks to implement the requirement in all contracts by 2023.
Stacy Bostjanick, chief of defense industrial base cybersecurity and deputy chief information officer for cybersecurity at the DOD, said during a PreVeil webinar that the department did not include international contractors in the initial CMMC rule because of a need to expedite and establish the requirement. International partners will need to have an additional rulemaking capability, something that Bostjanick said would be the next hurdle for CMMC.
The Pentagon hopes to have an interim CMMC rule by March 2023 and expects to implement the program in some contracts in May 2023, DefenseScoop reported.
According to Bostjanick, the National Institute of Standards and Technology’s Special Publication 800-171, which will be the basis for CMMC requirements, already applies to foreign vendors. She explained that the DOD will need to work with its international contractors on how to implement CMMC in their spaces.
One of the issues that the Pentagon official cited is the unwillingness of some countries to have a U.S.-based official assess relevant matters on their home soil. To resolve the issue, Bostjanick said work is being done to allow local assessors to be trained in the U.S.
Under CMMC, third-party assessors will conduct audits to ensure that contractors comply with the department’s cybersecurity standards. The requirement will ensure that companies will be able to respond to new and evolving threats.
Tags: cybersecurity Cybersecurity Maturity Model Certification DefenseScoop Department of Defense foreign contractors Stacy Bostjanick