The Defense Department is looking into how to keep contractors who pass a Cybersecurity Maturity Model Certification assessment accountable for maintaining their systems during the three-year certification period, according to John Ellis of the Defense Contract Management Agency, who says DOD may add an "affirmation" mechanism for companies to assert their compliance each year. Ellis explained the “one-year affirmation” in the context of the “early adopter assessments” which will allow companies to obtain a CMMC certification before the final rulemaking...
