The Department of Defense reaffirmed its commitment to work with a volunteer, third-party accreditation body to implement its new cybersecurity standards.
The DOD included a statement of work (SOW) in a no-cost contract issued to the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB), officials said. Negotiations over the contents of the SOW have been going on since the summer. It replaces the initial memorandum of understanding outlining the relationship between the two.
The contents of the SOW had been fiercely debated between the two bodies, most acutely over authority and responsibilities over the CMMC standards. The document is in the “final stages of signature,” according to a DOD spokeswoman. So far, no contract information has been posted to beta.sam.gov.
Katie Arrington, the lead CMMC official in the DOD and chief information security officer for acquisition and sustainment, also re-affirmed support for the AB, calling its efforts “tremendous.” CMMC is the DOD’s new set of tiered cybersecurity standards that will apply to all contractors and be subject to verification by certified assessors. Those assessors will be trained and accredited by the AB.
“We have absolutely never varied from being fully supportive of the AB,” Arrington said.
Arrington vowed to “make transparent” the SOW once it is fully executed.
Arrington also denied that she or her office is looking for another accreditation body to replace or compete with the AB accrediting and certifying assessors. Rumors had been circulating that she had met with another accreditation organization, A2LA. Arrington said she met with officials from the A2LA for “10 minutes.”
“We are not interested in issuing another statement of work,” she said.
A2LA did not comment when contacted by FedScoop.
Sources familiar with the negotiations over the SOW have described much more contentious conversations between Arrington and the AB. At times the officials have threatened to drop the current AB, documents reviewed by FedScoop show.