DoD continues to take actions that lead us to believe that they are very serious about the Cybersecurity Maturity Model Certification process.
This process will require that all DoD contractors ultimately get a third party cybersecurity certification on an annual basis if they want to continue to be part of the DoD food chain.
When I say part of the DoD food chain, I mean at every level. An example DoD used recently was a requirement for the companies that mow the lawn and tend to the bushes at DoD installations would need to be certified. EVERYONE is the plan.
Reports are the there are plans underway to make changes to the DFARS, the DoD acquisition regulations, this summer to reinforce the certification requirement.
It is also possible that they may extend this to the more general FARs, the acquisition regulations for the rest of the government. They have been talking about doing that for a couple of years, so if they really do that, it won’t be a real surprise.
One step forward is the naming of Ty Schieber as the head of the 13 member body that is charged with certifying auditors. Ty is the senior director for executive education at Virginia’s Darden School Foundation.
A DoD spokesperson said that CMMC requirements will begin showing up in presolicitation documents around June of this year. While that date is very aggressive and may slip, it does seem to indicate that DoD is very serious about this.
Some folks say that requiring contractors to get a certification that they are protecting DoD information might discourage some contractors from bidding on DoD work.
Getting sued by the DoD for breach of contract for not protecting DoD’s information in case of a breach could be a downer as well. That seems to be the other alternative to me and far worse.
Ignoring situations where the Chinese and others can steal our intellectual property is not a viable option any more.
It is possible that DoD COULD skew the playing field by requiring a higher level of certification than is actually required on a specific contract because their favorite contractor has that level of certification, but DoD bidders are very familiar with disputing DoD contract awards, so that, ultimately, would backfire if they did that at any large scale.
There is a concern, and it is legitimate, that certifications from different auditors could produce different results. That puts the onus on DoD to set good guidelines so that everyone knows how the process needs to work.
The important thing is to get started now. While the next version of the spec might change a bit, the basics are locked in stone and it will take a while to get them done.
The plan, as it has been explained to us, is that contractors who are not certified at the appropriate level will not be allowed to bid on contracts that specify a CMMC requirement. There will likely be long queues once the final process is announced, so getting started now will put you in a place where you can request certification earlier and get a jump on those people who wait.
Source: Washington Technology