Wednesday, December 7, 2022
The release of the Cyber Accreditation Body's Cybersecurity Maturity Model Certification assessment process guide is "premature" and could substantially increase costs for organizations seeking assessment, according to a large procurement association, which argues that it should be rescinded until the Defense Department completes its rulemaking process.
A defense industry leader says the Defense Industrial Base Sector Coordinating Council's recent exercise on the Pentagon's Cybersecurity Maturity Model Certification program shows more work is necessary to determine how the department will classify controlled unclassified information and the required maturity level needed for defense suppliers in contracts.
The Department of Homeland Security is moving forward with a final rule to set up security requirements for contractors handling sensitive data, submitting the rulemaking to the Office of Management and Budget for review.
Creating resilient supply chains in the United States will depend on investments in manufacturing like those in the CHIPS and Science Act, which provides $52 billion to bolster semiconductor production, according to National Cyber Director Chris Inglis, who argued the traditional rip-and-replace approach won't work in the long term.
Using managed service providers to help companies reach Cybersecurity Maturity Model Certification compliance should extend beyond the Defense Department by incorporating civilian agencies that also handle controlled unclassified information, according to a former General Services Administration senior official.
The first official Cybersecurity Maturity Model Certification assessment starts Aug. 22 under the Pentagon's "joint surveillance voluntary program," where a certified third-party assessment organization will conduct the examination and report results to the Defense Contract Management Agency for final approval.
Plans to update the National Institute of Standards and Technology's controlled unclassified information publications will depend on input gathered in a current pre-call for comments due in September, according to 800-171 series leader Victoria Pillitteri, who spoke at a July 27 summit focused on the Pentagon's Cybersecurity Maturity Model certification program.
The accreditation body behind the Pentagon's Cybersecurity Maturity Model Certification program has released the first "pre-decisional draft" of its CMMC assessment process guide, known as "the CAP," for public review and comment, going into detail on how organizations can obtain a certification from the planning phase to reporting results and addressing gaps.
Senate Armed Services Committee leadership is asking the Government Accountability Office to "conduct an assessment on the incorporation of reciprocity" into the Pentagon's Cybersecurity Maturity Model Certification program, in the chamber's latest version of the fiscal year 2023 defense authorization bill.
Cyber elements in the Senate version of the fiscal year 2023 defense authorization bill are mostly Defense Department-focused, including a provision to require contractors to submit a Software Bill of Materials, and new authorities for U.S. Cyber Command to play an active role in addressing critical infrastructure attacks by "foreign powers."
The National Institute of Standards and Technology has issued a pre-draft call for comments on four publications that explain how to protect the confidentiality of sensitive government data held on nonfederal systems, which are critical to the Pentagon's Cybersecurity Maturity Model Certification program.
The Defense Department is getting closer to finalizing details on the process for contractors to obtain a cyber certification ahead of the effort's formal launch in May 2023, which will include a memo from Pentagon officials to establish a "joint surveillance program" where assessment organizations and DOD officials work together to complete voluntary examinations.
MxD, a public-private partnership funded by the Defense Department, has published a CMMC playbook to help manufacturing companies meet level one requirements in the Pentagon’s cyber certification program.
The Pentagon is planning to issue a final rule in December establishing a regime for Defense Department acquisition officials to conduct assessments of a contractor's compliance with NIST Special Publication 800-171.
Pentagon cyber chief David McKeown says there are ongoing discussions to create a "cyber secure framework" for the defense industrial base that will go beyond the CMMC program and be based on the NIST cybersecurity framework.
The Pentagon's acquisition office has issued a memorandum reminding acquisition officials of the Defense Department's current standard for the handling of controlled unclassified information and potential remedies for non-compliance.
The House Armed Services Committee has approved its version of the fiscal 2023 defense authorization bill, including provisions to create an “information collaboration environment” at CISA and directing DHS and CISA to provide details to Congress on cyber incident response responsibilities.
The House Armed Services Committee is set to mark up an annual defense policy bill that includes creation of the "Cyber Threat Information Collaboration Environment Program," a reworked version of a Cyberspace Solarium Commission proposal viewed as an important component for government-industry interaction.
The House Armed Services Committee will take the first steps today in considering cyber proposals for the fiscal year 2023 defense authorization bill, including requiring a congressional briefing from Pentagon officials on their cyber certification program and Software Bill of Materials efforts.
The accreditation body behind the Pentagon's Cybersecurity Maturity Model Certification program announced a rebrand and new website today, aiming to align with the organization's future and offering new opportunities to bring CMMC to civilian agencies and international entities.