Saturday, October 4, 2025
The Defense Department has issued a proposed rule to expand its Defense Industrial Base Cybersecurity information-sharing program to include more contractors who hold sensitive data for the services and DOD agencies, in response to an increased interest in wider community participation.
SAN FRANCISCO -- Contracting attorney Robert Metzger offered two potential reasons behind why the Pentagon's process to issue a rulemaking implementing its Cybersecurity Maturity Model Certification program is delayed, following a panel discussion at an industry event here at the RSA conference.
SAN FRANCISCO -- The Federal Acquisition Security Council completed a lot of work to make sure the process for issuing removal and exclusion orders for untrustworthy equipment on federal systems is deliberate and risk-based, according to National Institute of Standards and Technology supply chain leader Jon Boyens, who participated in a panel with leaders behind the Defense Department's cyber certification program.
The annual RSA conference in San Francisco kicks off Monday with a focus this year on the national cyber strategy, operational collaboration, hardware and software security and more in keynote sessions and panels running through Thursday.
The Aerospace Industries Association is urging its members to achieve the current cyber requirements in defense contracts regarding National Institute of Standards and Technology Special Publication 800-171 and accompanying documentation as uncertainty continues over when the Pentagon's Cybersecurity Maturity Model Certification program will launch.
Stacy Bostjanick, chief of defense industrial base cybersecurity, says industry should expect to see a rulemaking in June that will expand the Pentagon's incident reporting program for companies who currently have a defense contract to the wider defense industrial base that handles controlled unclassified information.
DOD Chief Information Officer John Sherman assured lawmakers at a Thursday hearing on the rollout of the Cybersecurity Maturity Model Certification program, acknowledging it has faced delays following an internal review while committing that it will be carried out successfully.
The Defense Department has finalized a rulemaking to revise the use of its supplier risk system platform for acquisition officials when evaluating bids for contracts, making a move that stakeholders see as a precursor for the Pentagon's Cybersecurity Maturity Model Certification program becoming part of the formal acquisition process.
The U.S. government's transition to a zero-trust architecture will continue to be a top priority as the National Security Agency and Defense Department continue on their journey with new guidance for national security systems, while civilian agencies reveal cost estimates for the move to ZTA as part of their fiscal year 2024 budget requests.
The Defense Department's Cybersecurity Maturity Model Certification leader Stacy Bostjanick and accreditation body CEO Matthew Travis are pushing for the entire federal government to adopt National Institute of Standards and Technology Special Publication 800-171, the Pentagon's foundational standard for handling sensitive federal data for its CMMC program, to ensure consistency between defense and civilian requirements.
The Pentagon has updated its cybersecurity reference architecture to address mandates from the 2021 cyber executive order with a focus on zero trust and how associated principles can secure Defense Department business operations and national security systems.
The Information Technology Industry Council wants the Defense Department to leverage the General Services Administration's FedRAMP program to help military services and agencies transition to zero trust with help from cloud service providers.
The National Institute of Standards and Technology is offering a preview into upcoming changes to its foundational guide for organizations handling sensitive federal data.
Rep. Mike Gallagher (R-WI), chairman of the House Armed Services cyber, information technologies and innovation subcommittee, is planning to push for legislation to create a joint collaborative environment within the Cybersecurity and Infrastructure Security Agency and address "systemically important critical infrastructure," in an effort to get two high-priority recommendations from the Cyberspace Solarium Commission into law.
The Aerospace Industries Association raised concerns with the House Armed Services Committee over the cost of compliance with the Pentagon's Cybersecurity Maturity Model Certification program at a Wednesday hearing focused on strengthening the defense industrial base.
Matthew Travis, CEO of the accreditation body behind the CMMC program, says he is encouraged by the Pentagon's "commitment" to move forward with establishing a cyber certification initiative for defense contractors, despite a potential shift in the rulemaking timeline.
The accreditation body behind the Pentagon's cyber certification program has published a detailed spreadsheet outlining comments from stakeholders on the group's first assessment process guide.
Companies should continue preparing for the launch of the Pentagon's Cybersecurity Maturity Model Certification program as the process to finalize rulemaking continues, according to program director Stacy Bostjanick, who spoke with Inside Cybersecurity in a wide-ranging interview.
Leaders from the defense industrial base are urging the Cybersecurity and Infrastructure Security Agency to consolidate how it will collect mandatory incident reports from the sector into a single "channel" where information is shared between the Defense Department and CISA.
Full implementation of the Pentagon's Cybersecurity Maturity Model Certification program for defense contractors will likely shift to 2024 based on revised estimates from the Defense Department in the fall 2022 unified agenda, which indicates two proposed rules are expected for release in the coming months.