DOD wants industry to continue with CMMC prep amid program review
- By Lauren Williams
- Sep 16, 2021
The Pentagon wants defense contractors to keep pushing forward with preparing for the implementation of the Cybersecurity Maturity Model Certification program despite pending results from its internal review, which could bring significant changes to the program.
Dr. Christine Michienzi, chief technology officer for the deputy assistant secretary of defense for industrial policy, said on Tuesday that "everything is currently under review" from the way CMMC is structured and using third party assessors to certify companies to the cybersecurity levels with which have been rolled out.
"Everything is currently under review to make sure that that is the best mechanism that we can use -- the independent auditors versus [Defense Contract Management Agency] versus self-attestation -- at the different levels and what those levels need to be because the initial levels that were rolled out and [may] need to be revisited," Michienzi said during a fireside chat with former DOD acquisition chief Ellen Lord at the Intelligence and National Security Alliance's Intelligence and National Security Summit on Sept. 13.
When asked what contractors should be doing in the meantime, Michienzi said "continue on with what you're doing -- don't do any major changes -- but the guidance should be coming out shortly."
The comments come after trade associations representing government contractors asked the Pentagon for more transparency with regard to its CMMC reviews in a letter to Deputy Defense Secretary Kathleen Hicks.
"The lack of clarity during the review process has increased uncertainty throughout the [defense industry base] and among commercial vendors seeking to provide covered commercial items. Changes to CMMC, for example, would conceivably impact the timeline, scope and manner of implementation for program requirements," the group said.
Michienzi stressed that CMMC will endure as it is a "methodology to make sure that cybersecurity practices are understood and are being implemented" and the Defense Department wants to hear feedback directly from industry so that lessons learned can be included in the review.
"Please provide as much input as you can -- I cannot stress how important that is. We are really trying to make sure that we are listening to what industry's feedback was for the initial implementation. We will be finalizing any changes to CMMC very soon and we will be transmitting that to you," Michienzi said.
This article first appeared on FCW, a Defense Systems partner site.
Lauren C. Williams is senior editor for FCW and Defense Systems, covering defense and cybersecurity.
Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.
Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at [email protected], or follow her on Twitter @lalaurenista.