The DoD weighed in yesterday with a promise of additional changes, and soon, to the Cybersecurity Maturity Model Certification (CMMC) program.
We are told these changes will reflect industry feedback plus “internal government activities”. It appears they are a result of ongoing and wide-ranging reviews of the CMMC program that started this past spring.
All aspects of the CMMC program are under consideration in this review. This includes all levels of cybersecurity compliance as well as the role of the independent, third-party CMMC “Accreditation Body” of industry representatives overseeing auditors to review DIB companies’ cybersecurity practices.
The CMMC Accreditation Body has been criticized both generally and in comments considered in this review as being opaque and characterized by a lack of clarity in results and direction. This criticism perhaps led to the statement by Christine Michienzi, CTO of Defense, at a recent conference in Maryland that even the process of independent auditors versus DOD certification versus self-certification are all being reviewed as the best mechanism to use. Choosing the latter two would constitute a departure from the CMMC as it has been rolled out over the last few years, perhaps making the efforts of the accreditation body superfluous.
The best advice we can give right now is this:
Stay tuned because there is one thing we know for sure. There will be changes to the CMMC and those will change as well.
We told you there would be changes. According to InsideCybersecurity.com, the Department of Defense is not planning to release the final rule cementing CMMC until the end of 2021, due to ongoing internal reviews. As is tradition, that could also change at any minute. We’ll be sure to keep you updated with any additional changes.