Pentagon acquisition chief criticizes misleading information about new cybersecurity certification

By Justin Doubleday / March 13, 2020 at 4:52 PM

Defense Department acquisition chief Ellen Lord is calling out unnamed "third-party entities" for claiming they can offer assessments under the Pentagon's new contractor cybersecurity certification program.

In a statement released to the media today, Lord said she has "consistently stressed the importance of communicating and engaging extensively" with stakeholders regarding DOD's new Cybersecurity Maturity Model Certification.

"Unfortunately, the department has learned that some third-party entities have made public representations of being able to provide CMMC certifications to enable contracting with DOD," Lord said. "The requirements for becoming a CMMC third-party assessment organization (C3PAO) have not yet been finalized, so it is disappointing that some are trying to mislead our valued business partners."

DOD released the CMMC Version 1 in January, but officials won't begin including the requirements in contracts until this fall.

"To be clear, there are no third-party entities at this time who are capable of providing a CMMC certification that will be accepted by the department," Lord said. "At this time, only training materials or presentations provided by the department will reflect our official position with respect to the CMMC program."

Lord said she has reached out to the heads of the Professional Services Council, the Aerospace Industries Association and the National Defense Industrial Association "to make them aware" of entities claiming to offer CMMC certification services.

DOD and the independent CMMC Accreditation Body are close to reaching an agreement on roles and responsibilities for executing the CMMC program, including how the body will go about accrediting third-party certification organizations.

"Moving forward I am confident we will soon sign a Memorandum of Understanding (MOU) with the Cybersecurity Maturity Model Certification Accreditation Body on the accreditation, certification and approval processes relating to the Defense Supply Chain," Lord said. "When that happens we will make an announcement."