At the end of the last year the Department of Defense (DoD) issued six guidance memoranda aimed at assisting acquisition personnel in developing what has been described as “effective cybersecurity strategies to enhance existing protection requirements.” This included a mandate for the Defense Contract Management Agency to ensure that cybersecurity compliance will be a part of a contractor’s purchasing system audit and approval process.
Among the changes is the new Cybersecurity Maturity Model Certification (CMMC), which will replace the self-attestation model and move towards third party certification. It will require all defense contractors and subcontractors to undergo a third party assessment of their internal cybersecurity technical practices and process maturity against published standards.
The final version of CMMC is set to be published by the end of January. The certification will be built on existing requirements such as NIST SP 800-171, NIST SP 800-53, AIA NAS9933, private sector contributions, and input from academia. An independent accrediting body will soon begin training the auditors.
“Industry partners and vendor supply chains are an ongoing…
