The Pentagon’s Cybersecurity Certification Plan Includes Continuously Monitoring Contractors  

vs148/Shutterstock.com

A request for proposals outlines a portal where auditors would get automatic notifications if a company’s security score dips below a specified threshold.

The accreditation body overseeing the Defense Department’s Cybersecurity Maturity Model Certification program—the CMMC-AB—issued a request for proposal that provides insight into how the group plans to keep track of contractors outside of conducting physical audits.

The CMMC will end the DOD’s practice of allowing contractors to “self-certify” their cybersecurity practices. Before the end of the year, the department intends to require companies doing business with the DOD to gain a certificate from third-party auditors that will be valid for up to three years.   

“As part of the CMMC-AB’s efforts to mitigate risks posed to the country through sharing of sensitive information with DOD supply chain partners, a continuous monitoring solution will help fill in the gaps between assessments scheduled for once every three years,” the RFP reads. “The CMMC-AB is issuing this request for proposal to help us identify appropriate partners in our continuous monitoring solution.” 

The CMMC-AB posted the RFP to its LinkedIn page earlier today with a May 1 deadline for responses.

Katie Arrington, chief information security officer for the Defense acquisition office, who has embraced the alternative title “mother of the CMMC,” mentioned the RFP during a webinar today on the DOD’s efforts to help small businesses amid the coronavirus pandemic. 

She was responding to a question about how the coronavirus would affect the timeline for implementing the CMMC. 

Arrington has previously said the program would be unaffected, noting that the training for assessors would largely take place online anyway.

But last week during a Bloomberg Government webinar she conceded the virus is “affecting every aspect of our lives” and that there may be a delay in initial audits by about two weeks.

Today, she seemed to give herself more flexibility but pointed to other areas, such as the CMMC-AB’s RFP, where the program is still moving full speed ahead. 

“The training and the audits are based with a portion in person, and until we get the directive from the president and [Defense] Secretary Esper, we have our stay at home orders and [are] only mission-critical and trying to keep our meetings in-person to a minimal, so stay tuned, we’re still doing our absolute best to stay on track.” 

Arrington said the plan is still to roll out the first class of auditors in late May, early June. The audits have to happen in-person, on-site, she stressed but noted the DOD is working with the “pathfinders” who will undergo the initial reviews.

Inside the Portal

The chief requirements for respondents to the RFP is that the partner entity “accept and secure AB and DOD Intellectual property” and create a secure portal that would allow various stakeholders access to varying degrees. 

According to the RFP, organizations seeking certification, assessors and certified third-party assessment organizations known as C3PAOs “will all utilize the CMMC-AB’s continuous monitoring solution to conduct pre-assessment background research as well as monitor companies between formal assessments.” 

Defense officials have stressed their independence from the CMMC-AB. While the portal should support multi-factor access with the department’s Common Access Card, authorized DOD staff would only have “read only” access. They should, however, be able to “search for and view information on any company in the database and to access aggregated metrics from across all monitored companies and defined subsets thereof,” the RFP states.

Assessors and their C3PAOs, meanwhile, should be able to receive automatic notifications when any company they were responsible for assessing has a security score decrease a specific, to be determined amount, according to the RFP.  

The document also notes that while the CMMC-AB has not decided on a location for its physical headquarters, it has determined it will need to have a physical presence in each of the following regions: California, Texas, Connecticut, Florida, Washington, Pennsylvania, Massachusetts, Arizona and the Washington, D.C. area. 

The CMMC-AB notes a required presence in some international locations, including Germany and Japan. 

Some stakeholders have expressed concern about how the CMMC will apply to multinational companies and subcontractors based outside the U.S. 

A “continuous monitoring solution deployable on a global scale is therefore advantageous,” the group wrote in the RFP.

NEXT STORY: Why PPE acquisition looks so shady

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.