Sunday, February 9, 2025
The Pentagon will start the formal process in July to make regulatory changes to its Cybersecurity Maturity Model Certification program with the submission of a new rulemaking to the White House Office of Management and Budget for review, according to a Pentagon spokesman.
The use of waivers for the Pentagon’s Cybersecurity Maturity Model Certification program will be determined based on the needs of acquisition officials for specific contracts, not the qualifications of a company bidding for contract selection, according to CMMC director Stacy Bostjanick.
CMMC director Stacy Bostjanick says the Pentagon is planning to release the “interim rule” to implement its Cybersecurity Maturity Model Certification program by May 2023, with initial requirements showing up in DOD contracts 60 days after the rule publication.
The accreditation body behind the Pentagon's Cybersecurity Maturity Model Certification program hopes to release in June a CMMC assessment process guide, or CAP, with guidance on remediating gaps and addressing reciprocity with other federal standards, according to CMMC-AB Chief Executive Officer Matthew Travis.
The Defense Contract Management Agency is planning to evaluate information submitted by contractors on their compliance with NIST Special Publication 800-171 to get a better understanding of whether the defense industrial base is meeting the current standard for handling sensitive data.
The Defense Department is looking into how to keep contractors who pass a Cybersecurity Maturity Model Certification assessment accountable for maintaining their systems during the three-year certification period, according to John Ellis of the Defense Contract Management Agency, who says DOD may add an "affirmation" mechanism for companies to assert their compliance each year.
The Defense Department is moving forward with its plans to split cyber certification requirements for contractors into two separate rulemakings, focused on NIST Special Publication 800-171 and the Cybersecurity Maturity Model Certification program.
Contractors conducting research and technology development for the Defense Department are failing to protect controlled unclassified information on their networks, according to a DOD inspector general report, which evaluated their compliance against the Pentagon's requirements for safeguarding sensitive data.
The Defense Department recommends the creation of cyber supply chain risk management guidance for Pentagon acquisition purposes, in a new report examining challenges and gaps in the department's supply chain activities.
Voluntary assessments under the Pentagon's Cybersecurity Maturity Model Certification program are expected to begin in the second quarter of fiscal year 2022, according to Matthew Travis, CEO of the CMMC Accreditation Body, who outlined details that must be ironed out with the Defense Department before the interim period launch can begin.
The Defense Department is still considering whether to allow companies to self-attest their compliance with level two of its Cybersecurity Maturity Model Certification program, according to DOD cyber chief David McKeown, who provided additional detail on the Pentagon's plans to address controlled unclassified information at a meeting on Thursday.
The office of the Defense Department chief information officer has formally established a zero-trust portfolio management office with a focus on developing shared services and providing orchestration for implementations developed by the uniformed services and agencies within the department, according to DOD cyber chief David McKeown.
The two rulemakings to implement the Defense Department’s Cybersecurity Maturity Model Certification program are a work in progress, according to DOD cyber chief David McKeown, who says the Pentagon is continuing to develop its policies in areas such as incentives and how contractors will be allowed to fill gaps.
The Defense Department is making changes to version two of its Cybersecurity Maturity Model Certification program following a review of what controlled unclassified information needs to be protected under the second tier of the model, according to DOD Deputy Chief Information Officer for Cybersecurity David McKeown.
Katie Arrington is leaving the Pentagon after months of uncertainty over her future as chief information security officer for the Defense Department's acquisition arm, during an ongoing investigation into her alleged sharing of classified information outside of DOD.
The Pentagon's decision to move the Cybersecurity Maturity Model Certification program is part of an effort to align cybersecurity initiatives across the department, according to DOD CIO John Sherman.
Transitioning the Pentagon's cyber certification program to the Defense Department chief information officer's portfolio could have a positive impact on DOD efforts to engage with industry, according to a major trade association.
The Cybersecurity Maturity Model Certification program is moving from the Pentagon's acquisition arm to direct oversight by Defense Department Chief Information Officer John Sherman, according to a memorandum obtained by Inside Cybersecurity.
Defense Department Chief Information Officer John Sherman has issued a memorandum detailing how acquisition officials across DOD should evaluate open-source software for defense contracts.
The upcoming Cybersecurity Maturity Model Certification assessment process guide includes details on the four phases of assessments, explains procedures and provides a "template inventory," according to the accreditation body behind the Pentagon's CMMC program.