For some time now, Department of Defense (DoD) contractors have been preparing for the Cybersecurity Maturity Model Certification (CMMC) rollout—the new cybersecurity framework from the DoD. Under the Trump administration, the path ahead appeared clear. But there are concerns that the implementation could change under the new Biden administration.
So far, it seems that if there are any changes to the CMMC itinerary, they will be minor. CMMC’s advisory members, Jim Goepel of Fathom Cyber LLC and John Weiler of the IT Acquisition Advisory Committee, no longer hold positions on the main board of directors. However, commentators do not believe that these departures will have a material impact on DoD contractors.
The initial purpose of the CMMC rollout was to establish a universal cybersecurity standard for all Department of Defense contractors. Auditors would rate contractors into five categories, depending on their security level and cybersecurity preparedness level, with level 1 being the lowest and 5 the highest.
Critically, CMMC differed from previous security arrangements in that contractors were no longer allowed to certify their cybersecurity readiness. Instead, they must now seek the approval and categorization of a certified, independent assessor. Contractors that do not meet the standards set out by the DoD will be ineligible to receive contract awards above the level of their CMMC rating.
Version 1.0 of the CMMC went live in January 2020 with further revisions and interim rules appearing later that year in September. However, thanks to the political, economic, and social turmoil of last year (owing to the election, pandemic, and recession), many contractors still aren’t sure how the CMMC rollout will affect them. They are concerned that changes at the political levels will affect their business plans.
For the most part, it looks like they will escape any further demands. Senate and House-armed service committee members are turning up the heat on the CMMC by adding nine new provisions in the 2021 Defense Authorization bill. However, these changes target the DoD itself, not private contractors.
According to the House report, “The committee is concerned that while DoD leadership recognizes that certain cyber hygiene practices could effectively protect the department from a significant number of cybersecurity risks the department has not implemented its own cyber hygiene practices.”
Members of the committee lamented the fact that the DoD appears to demand cybersecurity standards from regular contractors that it is not able to implement itself. Thus, the legislature would like to see the DoD bring internal standards up to at least CMMC level 3. It is also demanding that the secretary of defense submit a report detailing the quality of cyber hygiene practices in the department.
Overall, therefore, most of the politically-driven changes to the CMMC appear to target the public sector itself. Private contractors can continue in their current rollout plans as before. Those looking for further guidance should seek out the help of a CMMC consultant. If there are any changes, the expectation is that they will be minor.
The post How Will the Change in Administration Affect CMMC Rollout? first appeared on Feedster.from Feedster https://www.feedster.com/business-news-daily/how-will-the-change-in-administration-affect-cmmc-rollout/
No comments:
Post a Comment