Cyber threats against the United States and the Defense Department are very real, and efforts related to the department’s Cybersecurity Maturity Model Certification, released earlier this year, are underway to mitigate risks as they relate to both the department and contractors.
“It’s no secret that the U.S. is at cyber war every day,” Ellen Lord, the undersecretary of defense for acquisition and sustainment, said, as part of a keynote address during the Professional Services Council’s 2020 Defense Services Conference. “Cybersecurity risks threaten the industrial base, national security, as well as partners and allies.”
The CMMC, Lord said, is the DOD’s metric to measure a company’s ability to secure its supply chain from cyber threats, protecting both the company and the department.
The department is now focused on implementing the CMMC. Lord said these efforts support the Defense Federal Acquisition Regulation Supplement rulemaking process while completing a no-cost contract with the newly established CMMC accreditation body, registering and training candidate CMMC third-party assessment organization assessors, conducting risk reduction through CMMC pathfinder and pilot programs and developing the CMMC database infrastructure.
As part of CMMC, the accreditation body will accredit third-party assessment organizations, or C3PAOs, to evaluate a business’s compliance with CMMC standards. The CMMC-AB started registering such third-party assessors in June, Lord said.
Lord also said the Office of the Chief Information Security Officer for Acquisition and the Missile Defense Agency are now also completing a CMMC pathfinder on an existing contract, which involves acquisition tabletop exercises, training of mock assessors and conducting mock assessments of a prime contractor and three subcontractors. These efforts, she said, are for evaluation only and are non-punitive and not for attribution.
The OCISO-A and another DOD stakeholder will begin a second CMMC assessment pathfinder on an existing contract in September. That second pathfinder will also be nonpunitive and not for attribution, she said. The OCISO-A is also looking for other contracts on which to conduct CMMC pilot projects.
“These pilots will be implemented on new DOD contracts to further reduce the risk of CMMC phased rollout, by focusing on the flow-down of controlled unclassified information … and CMMC requirements through the supply chain and conduct of mock CMMC assessments,” she said.
As part of developing the CMMC database infrastructure, Lord said, the department is now working with the Defense Information Systems Agency’s Enterprise Mission Assurance Support Service to develop “CMMC EMASS,” which will serve as the infrastructure for CMMC assessment reports, certificates and data analytics.
“The initial development for this is planned to start this month,” she said. “The certification body will train and credential candidate-assessors and accredit CMMC third-party assessment organizations. In fact, the first CMMC training course for candidate-assessors is also on track for this month.”