CMMC VOLUNTARY CERTIFICATIONS MOVE FORWARD
Contractors can begin voluntary Cybersecurity Maturity Model Certification assessments next month even in the absence of a final rule on what the exact standards will be. The voluntary assessments will be conducted under the Defense Department’s Joint Surveillance Program and will result in companies’ receiving CMMC Level Two accreditation once the requirements become effective. Level Three was believed to be the minimum level needed to work as a prime contractor, though it may be that making progress now will mean that it is easier to achieve higher levels later. The agency must also still go through the rule making process before final standards are adopted that will enable companies to seek certifications at levels necessary to conduct their specific DOD business. DOD’s Cyber Accreditation Body also released a “pre-decisional” draft recently of how the CMMC Assessment Process (CAP) may work. The CAP document is supposed to provide directions to contractors, but several have pointed out that there is missing information, including referenced appendices, as well as typos. This caused confusion and some consternation in industry. CMMC adherence was supposed to have been a requirement starting about two years ago, but DOD has been unable to arrive at a final set of standards. The entire process needed to be revamped into “CMMC 2.0” and the former program manager was “perp walked” out of the Pentagon for allegedly sharing too much information with industry. The pressure to get to implementation may have caused the rush and subsequent errors. In any case, DOD is accepting comments on the draft CAP until August 25th and CMMC accreditation will, one day, be required for any contractor doing business with DOD that handles Controlled Unclassified Information.