Inside Cybersecurity

March 28, 2024

Daily News

CMMC accreditation body formalizes relationship with IT acquisition council

By Sara Friedman / July 30, 2020

The accreditation body supporting the Defense Department’s Cybersecurity Maturity Model Certification program has signed a memorandum of understanding with a council focused on information technology acquisition professionals to collaborate on conferences and industry outreach.

The IT Acquisition Advisory Council is a public/private partnership created in 2000 by the Pentagon “to improve DOD’s embrace of commercial standards, best practice and lessons learned,” according to the MOU signed by IT-AAC executive director John Weiler and CMMC-AB chairman Ty Schieber on Tuesday.

“The missions and goals of both the CMMC-AB and IT-AAC are potentially complementary with respect to providing DIB companies the necessary education, mentoring and tools needed to improve cyber hygiene, promoting adoption of cybersecurity implementation best practices, and supporting collaborative mechanisms that assure successful implementation of the CMMC across Defense sectors,” the MOU says.

The MOU continues “Both organizations desire to explore potential collaboration activities that further CMMC implementation effectiveness, support implementation of guidance issued by DoD, and enable achievement of the goals established in the National Defense Authorization Act.”

Weiler was appointed to serve as a board member to the CMMC-AB in January when the new entity was established. He resigned from the board on Tuesday when the MOU was signed with his organization.

“The CMMC Accreditation Body is founded on a model of service to the Defense Supply Chain in support of the goal of securing it,” the CMMC-AB posted on its website. “The IT Acquisition Advisory Council (IT-AAC) shares in those goals and that mission. Both organizations are non-profits. IT-AAC brings a large membership and through them the ability to bring vast resources to bear in support of education and training including advice, events, podcasts and more. The AB looks ahead to working with IT-AAC to enhance the cybersecurity of the Defense Supply Chain.”

The MOU states that “As the CMMC-AB is self-funded and solely responsible for the implementation of the CMMC on behalf of the DoD, IT-AAC will support the CMMC-AB by identifying, qualifying and validating potential partnering opportunities, which IT-AAC has as part of its normal business operations, that can further the CMMC ability to achieve its mission.”

The MOU establishes that the relationship between the CMMC-AB and IT-AAC is based on several principles:

  • Opportunities are discrete events bounded by scope and time as a general rule.
  • Based on confirmation of the opportunity potential, and based on level of effort and return on investment (ROI) analytics, parties will agree to establish a revenue sharing method in good faith that is commensurate with the opportunity that is legal, fair, and equitable for both sides.
  • Should an opportunity have the potential to expand into a longer-term commitment, both parties agree to manage that separate from this MOU under the appropriate mechanism. For example, some opportunities may lend themselves to contractual obligations recognized by both parties. Those would be developed outside the scope of this MOU as separate activities.
  • IT-AAC, in the course of its normal business relations, may invite the CMMC-AB to participate in partnering activities that IT-AAC has forged or created. This MOU allows for that decision to participate and for exploration of the opportunity in the mutual interests of both parties.
  • Both parties, under the rights and privileges imbued by their autonomy, retain the right to develop unilateral agreements with entities as needed.
  • Joint marketing activities, if any, will be coordinated in good faith.

The MOU will last for one year and is subject to “an annual renewal based on mutual review and agreement. -- Sara Friedman (sfriedman@iwpnews.com)