An accreditation body that will certify third parties to audit the cybersecurity practices of Defense Department contractors is expected to form its complete board of directors by the end of next week, clearing the way for signing a Memorandum of Understanding with DOD acquisition officials by the beginning of February, according to officials involved in the effort.
The emerging accreditation body for DOD's Cybersecurity Maturity Model Certification program is in the process of interviewing more than 50 applicants received by the Tuesday deadline to fill the remaining positions of the 13-member board of directors, which is expected be completed next week, officials said at a MITRE-hosted meeting on supply-chain security Wednesday.
Also, the accreditation body is expected to complete its process for incorporation once its board of directors is in place, allowing DOD to negotiate and sign an MOU for the body to implement the CMMC program, with DOD officials expecting a formal rollout at the beginning of February, officials said.
Officials at the MITRE meeting in McLean, VA, a quarterly gathering of the Software and Supply Chain Assurance Forum, provided the latest update on the establishment of the CMMC AB since industry-based working groups announced on Jan. 8 the selection of the University of Virginia's Ty Schieber to serve as board chairman. The MITRE meeting was held under the Chatham House rule.
In addition to establishing a board, the accreditation body is seeking funding sources, an official said, including the possibility of "investors."
DOD is planning to issue a proposed rule this fall, officials said, which would codify contractor requirements spelled out by the latest CMMC plan dated Dec. 6.
Pentagon acquisition officials also expect to issue assessment guidelines in March to offer industry more direction on how and whether to seek cybersecurity certification under the landmark program, which was unveiled in August.
An official said a request for information on including CMMC requirements in contracts will be issued in June for comment. The Pentagon expects to include the certification requirements in a request for proposals this fall following the release of regulations.
Contractors will be required to achieve a certification level of one to five under the tiered CMMC program before being awarded a contract, officials told industry and government participants at the MITRE meeting. A final version of the CMMC model will be issued in the next few weeks and will be handed over to the new accreditation body to manage by the end of the month, officials said. The CMMC standards will be updated annually by DOD with the possibility of specific revisions to address "emergent" threats as deemed necessary.
"Because we're going to be doing a rulemaking," that has slowed the Pentagon's initial intent for rolling out contractor certification with about 1,500 companies expected to be certified during the first year of the program, an official said. Those initial certifications will be focused on the "lower level" of the CMMC requirements to "make it easier" for businesses. "If we get this right, in terms of rollout" and implementation, the contractor certification requirements are likely to be adopted by other agencies with major implications for the private sector across all industries, according to the official.
The latest CMMC draft issued last month includes security practices for the highest levels of risk faced by contractors -- levels four and five which are mostly large companies -- of the five-tier certification program based on standards issued by the National Institute of Standards and Technology.
An earlier draft issued in November focused on lower-level risks -- levels one through three -- while the latest plan includes security practices based on NIST standards, Special Publication 800-171B, proposed in June in response to "advanced persistent threats" from foreign adversaries such as China, Russia, North Korea and Iran. Those standards for protecting controlled unclassified information on non-federal systems have yet to be issued as final by NIST.