Wednesday, June 18, 2025
The Aerospace Industries Association is urging its members to achieve the current cyber requirements in defense contracts regarding National Institute of Standards and Technology Special Publication 800-171 and accompanying documentation as uncertainty continues over when the Pentagon's Cybersecurity Maturity Model Certification program will launch.
Stacy Bostjanick, chief of defense industrial base cybersecurity, says industry should expect to see a rulemaking in June that will expand the Pentagon's incident reporting program for companies who currently have a defense contract to the wider defense industrial base that handles controlled unclassified information.
DOD Chief Information Officer John Sherman assured lawmakers at a Thursday hearing on the rollout of the Cybersecurity Maturity Model Certification program, acknowledging it has faced delays following an internal review while committing that it will be carried out successfully.
The Defense Department has finalized a rulemaking to revise the use of its supplier risk system platform for acquisition officials when evaluating bids for contracts, making a move that stakeholders see as a precursor for the Pentagon's Cybersecurity Maturity Model Certification program becoming part of the formal acquisition process.
The U.S. government's transition to a zero-trust architecture will continue to be a top priority as the National Security Agency and Defense Department continue on their journey with new guidance for national security systems, while civilian agencies reveal cost estimates for the move to ZTA as part of their fiscal year 2024 budget requests.
The Defense Department's Cybersecurity Maturity Model Certification leader Stacy Bostjanick and accreditation body CEO Matthew Travis are pushing for the entire federal government to adopt National Institute of Standards and Technology Special Publication 800-171, the Pentagon's foundational standard for handling sensitive federal data for its CMMC program, to ensure consistency between defense and civilian requirements.
The Pentagon has updated its cybersecurity reference architecture to address mandates from the 2021 cyber executive order with a focus on zero trust and how associated principles can secure Defense Department business operations and national security systems.
The Information Technology Industry Council wants the Defense Department to leverage the General Services Administration's FedRAMP program to help military services and agencies transition to zero trust with help from cloud service providers.
The National Institute of Standards and Technology is offering a preview into upcoming changes to its foundational guide for organizations handling sensitive federal data.
Rep. Mike Gallagher (R-WI), chairman of the House Armed Services cyber, information technologies and innovation subcommittee, is planning to push for legislation to create a joint collaborative environment within the Cybersecurity and Infrastructure Security Agency and address "systemically important critical infrastructure," in an effort to get two high-priority recommendations from the Cyberspace Solarium Commission into law.
The Aerospace Industries Association raised concerns with the House Armed Services Committee over the cost of compliance with the Pentagon's Cybersecurity Maturity Model Certification program at a Wednesday hearing focused on strengthening the defense industrial base.
Matthew Travis, CEO of the accreditation body behind the CMMC program, says he is encouraged by the Pentagon's "commitment" to move forward with establishing a cyber certification initiative for defense contractors, despite a potential shift in the rulemaking timeline.
The accreditation body behind the Pentagon's cyber certification program has published a detailed spreadsheet outlining comments from stakeholders on the group's first assessment process guide.
Companies should continue preparing for the launch of the Pentagon's Cybersecurity Maturity Model Certification program as the process to finalize rulemaking continues, according to program director Stacy Bostjanick, who spoke with Inside Cybersecurity in a wide-ranging interview.
Leaders from the defense industrial base are urging the Cybersecurity and Infrastructure Security Agency to consolidate how it will collect mandatory incident reports from the sector into a single "channel" where information is shared between the Defense Department and CISA.
Full implementation of the Pentagon's Cybersecurity Maturity Model Certification program for defense contractors will likely shift to 2024 based on revised estimates from the Defense Department in the fall 2022 unified agenda, which indicates two proposed rules are expected for release in the coming months.
Multiple agencies are expected to act on incident reporting requirements in the new year as work to digest industry feedback continues at the Securities and Exchange Commission and Cybersecurity and Infrastructure Security Agency, while changes to federal acquisition regulations from the 2021 cyber executive order are coming along with the release of the long-awaited national cyber strategy.
The Pentagon is planning to submit the first rulemaking under its cyber certification program in January for review by the White House Office of Management and Budget, according to a Defense Department spokeswoman, shifting the official launch timeframe farther down the road than previously expected.
A recent guide from the National Defense Information Sharing and Analysis Center is designed to assist small and medium-size businesses with choosing a managed service provider to help reach compliance with the Pentagon's Cybersecurity Maturity Model Certification program.
Defense contractors are having trouble complying with current cyber standards put in place in 2017, according to a recent industry survey, which puts a spotlight on the defense industrial base preparedness for the Cybersecurity Maturity Model Certification program.