The Pentagon is Standing Up a Nonprofit to Assess Vendor Cybersecurity 


The organization would be responsible for running the department’s Cybersecurity Maturity Model Certification.

The Defense Department is looking to stand up a nonprofit organization to measure the strength of its contractors’ cybersecurity practices.

The group would be responsible for running the vendor accreditation process under the Pentagon’s new Cybersecurity Maturity Model Certification, or CMMC. The framework, which was released in draft form last month, will serve as a yardstick for determining if contractors are taking sufficient steps to protect the sensitive military data that resides on their networks.

The certification process is intended to push the Pentagon’s extensive network of vendors to strengthen their digital defenses, or at least adopt protections that are appropriate for the sensitivity of their work. The program comes adversaries like China increasingly target defense contractors to steal military secrets.

“Preventing loss of [controlled unclassified information] within the defense industrial base is critical to maintaining national security,” Pentagon officials said in a request for information published last week. They estimate there are roughly 300,000 vendors in need of certifications, most of which are small- and medium-size businesses.

The CMMC Accreditation Body would operate the certification program and oversee the independent assessment groups, or C3PAOs, that will issue credentials to contractors, according to the RFI. Pentagon officials haven’t yet finalized the structure of the organization, and in the solicitation, they asked for outside feedback on its “long-term implementation, functioning, sustainment and growth.”

Responses are due Oct. 21.

Under the certification program, assessors will grade vendors on their practices and processes in 18 different cybersecurity-related domains, including access control, governance, incident response, risk assessment and employee training. Scores will range from one to five, with higher marks indicating stronger security.

Once the maturity levels are established, the department plans to work with third-party assessment organizations to “conduct audits and inform risk,” similar in structure to the civilian Federal Risk and Authorization Management Program, or FedRAMP, which uses third-party contractors to verify the cybersecurity of cloud products.

The framework is currently in its fourth draft, and Pentagon officials plan to release the final version in January.