Saturday, October 4, 2025
Roles and responsibilities of the Defense Department and the accreditation body for its Cybersecurity Maturity Model Certification program are detailed in a memorandum of understanding released this week, which spells out how government will work with industry to conduct cyber verification assessments for the defense industrial base.
The Defense Department provided new details this week on the memorandum of understanding with an independent accreditation authority that will certify companies under the Cybersecurity Maturity Model Certification program.
The independent accreditation body for the Pentagon's Cybersecurity Maturity Model Certification program is collecting information from potential vendors who are able to provide a platform for assessors to take their exams for certification.
The Cybersecurity Maturity Model Certification Accreditation Body is developing standards for assessment that are adaptive to changes made to "source documents" coming from the Defense Department, according to CMMC AB board member Regan Edens.
The accreditation group for the Pentagon's Cybersecurity Maturity Model Certification program says details released on its provisional program for auditors and assessors were published "inadvertently" on its website, and crafting the requirements and application details for the program is still in process.
The independent accreditation body developing standards for auditors and assessors under the Defense Department's Cybersecurity Maturity Model Certification program has circulated information on how the provisional program will work, including fees and an initial structure for the selection process for third-party assessors.
The Pentagon is moving aggressively under its cybersecurity certification program to create a framework and structure for contractors, vendors, and suppliers to get up to speed on what they will need to do to get certified, according to a top Defense Department official, but the process of changing acquisition rules to make the program effective could be delayed.
Auditors under the Cybersecurity Maturity Model Certification will be prohibited from consulting with companies they are certifying in an effort to create "checks and balances," according to DOD acquisition Chief Information Security Officer Katie Arrington.
The Defense Department is surging ahead with efforts to get third-party assessor organizations certified for work under the Cybersecurity Maturity Model Certification program, but the process of setting up a structure for companies to be assessed and approved has many unanswered questions, according to two large defense industry groups.
The Senate Armed Services Committee's move to paper hearings has slowed efforts to fold Cyberspace Solarium Commission recommendations into the fiscal year 2021 defense authorization bill, as the Senate panel's leaders want to hear directly from members of the high-profile advisory panel in person, according to a committee staffer.
The Defense Department is setting an aggressive schedule to get up to 1,500 contractors certified under the Cybersecurity Maturity Model Certification program by the end of this year, but the timing could shift on expected deliverables amid the response to the COVID-19 health crisis, according to public statements and remarks by sources.