Defense

Pentagon testing waters for accreditor of contractor cybersecurity assessments

DOD issued an RFI asking for feedback from organizations interested in serving as the accreditation body for its Cybersecurity Maturity Model Certification (CMMC) program.

By Billy Mitchell

October 4, 2019

(Getty Images)

The Department of Defense will soon be on the hunt for a third-party accrediting organization to make sure contractors have met newly proposed cybersecurity standards.

DOD issued a request for information Thursday asking organizations interested in serving as the accreditation body to submit feedback on the “long-term implementation, functioning, sustainment, and growth” of the process. The program will be known as the Cybersecurity Maturity Model Certification (CMMC).

The department issued version 0.4 of the CMMC last month, giving contractors a glimpse into the sort of cybersecurity standards they must meet if they want to work on projects that handle controlled but unclassified information. Ultimately, CMMC is an effort to secure DOD‘s extremely complicated and spiderwebbed IT supply chain from the largest contractors to the smallest.

The DOD estimates that 300,000 organizations will need to meet the cybersecurity certification. The accreditation body will not directly perform those assessments. It will manage the other third-party organizations who do that work.

The accrediting body must be a nonprofit that uses “revenue generated through dues, fees, partner relationships, conferences, etc.” to fund its work. There won’t be any other funding from the DOD, the RFI says. The relationship between DOD and the accreditor will be governed by a memorandum of understanding.

Interested parties have until Oct. 21 to submit feedback.

DOD plans to issue the final framework for the CMMC in January. Then, beginning in June 2020, all DOD requests for information will include the standards as a “go/no go” requirement, followed by inclusion in all requests for proposals in the fall that year.