The internal review of the Defense Department’s Cybersecurity Maturity Model Certification program is aimed at helping small businesses meet the department’s objectives for cyber readiness, while also making potential policy changes to clarify implementation, according to Pentagon industrial policy leader Jesse Salazar.
“CMMC represents a major leap forward in the department’s approach to cybersecurity and underscores our commitment to accountability within the defense industrial base,” Salazar said at a Professional Services Council event on Tuesday. “That’s why we published an interim DFARS rule establishing CMMC in November and the department has received more than 850 comments in response."
Salazar, deputy assistant secretary of defense for industrial policy, said, “In March, the department initiated an internal assessment of CMMC, which is common for major programs to help us with minor policy program implementation. This assessment is ongoing and we are working toward an implementation approach that has three broad goals.”
Jesse Salazar, Deputy Assistant Secretary of Defense, Industrial Policy
First, DOD is focusing on managing costs for “cybersecurity for small business,” Salazar said, acknowledging that “small businesses are under immense market pressures.”
Salazar said, “The number of DIB small businesses has shrunk by more than 40 percent over the past decade. One of seven believe they will never return to pre-pandemic levels of performance. Our goal is to mitigate costs while protecting the cybersecurity of these businesses.”
“Our second goal for the next phase of implementation is aiming to clarify cybersecurity regulatory policy and contracting requirements,” Salazar said. “The department’s requirements are complex and challenging to navigate. We want to deconflict and streamline them in order to add clarity.”
Salazar said the last major item of review is to “reinforce trust and confidence in the maturing CMMC assessment ecosystem.”
“The department is ensuring that we can operationalize our requirements through a sufficient number of assessors,” Salazar said. “We are also clearly defining roles and responsibilities, standards of conduct and audit mechanisms within the external assessment ecosystem.”
The review is “being led by a cross-functional team and senior leaders across the department,” Salazar said. “We are taking a broad look at DIB cybersecurity beyond CMMC accreditation that includes cyber threat information sharing programs, cybersecurity as a service programs, education and training programs and we see great value in dedicating resources to help small companies improve cyber readiness.”
Salazar outlined three major objectives for the CMMC program: “to incorporate a broad set of cybersecurity requirements into acquisition language and contracting processes”; “to hold primes accountable and provide the department assurance via external assessment that contractors and subcontractors meet DOD’s security requirements”; and “to support businesses with resources, information, [and] training to improve DIB cyber readiness.”
One of DOD’s initiatives to help small businesses to prepare for CMMC is Project Spectrum, which is managed by DOD’s Office of Small Business Programs. Melinda Woods of Eccalon made a presentation at the event on Project Spectrum’s offerings.
The House Small Business Committee will hold a hearing Thursday on the impacts of DOD’s CMMC program for small businesses. CyberNINES president Scott Singer, 147 International CEO Tina Wilson, Ryzhka International president Michael Dunbar and Jonathan Williams of law firm PilieroMazza are scheduled to testify.
At a separate session, CMMC Accreditation Body executive director Matthew Travis gave an update on his initiatives and the status of the first two authorized certified third party assessment organizations.
Travis said the CMMC-AB is “moving forward with as much alacrity as we can” while the Defense Department conducts its internal review of the program. Travis said the Pentagon is still “deliberating” on potential changes to the program.
Redspin and Kratos are the first two authorized C3PAOs, but Travis said there is still work to do before the companies can start conducting assessments for contractors. Travis said the CMMC-AB is targeting “mid-July” to get all of the documentation necessary for the C3PAOs and finish setting up the portal for the C3PAOs to submit their assessments to the Defense Department. -- Sara Friedman (firstname.lastname@example.org)