The Pentagon’s draft CMMC rule doesn’t exempt small firms from the security standards for defense contractors and subcontractors, but that doesn’t mean they won’t receive any help meeting the requirements.
The long-anticipated draft rule, which will be officially published on Dec. 26, outlines proposed updates to DOD’s cybersecurity requirements for defense contractors and subcontractors who handle sensitive military data.
The governing body responsible for implementing the Defense Department’s unified cybersecurity program for contractors expects security procedures for authorized third party assessors to start back up in early 2022. But DOD has the final say on the timeline.
The Biden administration's pick to be the Pentagon's tech chief wants to make it easier for small businesses to adhere to the Defense Department's cybersecurity standards and expand network optimization across the entire enterprise.
Dr. Christine Michienzi, the chief technology officer for the Office of the Deputy Assistant Secretary of Defense for Industrial Policy, said while results were coming soon, defense contractors should "continue on" with updates to cybersecurity practices as DOD finalizes its review of its Cybersecurity Maturity Model Certification program.
Months of silence from the Defense Department on the status of the Cybersecurity Maturity Model Certification program is palpable and stirring unease among defense contractors, trade associations say in a letter to Deputy Defense Secretary Kathleen Hicks.
Matt Travis, the CEO for the Cybersecurity Maturity Model Certification Accreditation Body, said proper training and IT access to the Defense Department's Enterprise Mission Assurance Support Service (eMASS) application, which will house CMMC data, still needs to be finalized for the third-party organizations that will be charged with conducting cyber assessments.