On March 23, 2020, Under Secretary of Defense for Acquisition and Sustainment, Ms. Ellen Lord, and Mr. Ty Schieber, Chairman of the Cybersecurity Maturity Model Certification Accreditation Board (CMMC-AB), signed a Memorandum of Understanding (MOU) that established the roles, responsibilities, and authorities of each organization to help ensure a cyber-safe, cyber-secure and cyber-resilient defense industrial base.
The MOU states that DoD will only accept certifications from an assessor or a CMMC Third Party Assessment Organization (C3PAO) who has been accredited for assessments by the CMMC-AB.
The CMMC-AB anticipates opening registration for C3PAOs and assessors later this week. Assessments from non-CMMC-AB accredited organizations will not meet the standard for contract award under the CMMC stipulations.
The Department is currently working CMMC pathfinder programs which evaluate how we assess CMMC levels and align with requirements. The Department intends to conduct CMMC Pilots with new contracts this year. The requests for information (RFIs) associated with these pilots will be released this summer. This risk reduction effort, which includes non-punitive and non-attribution CMMC assessments by accredited C3PAOs in coordination with the CMMC-AB, will further inform the phased rollout of CMMC.
The Department is finalizing a zero cost contract with the CMMC-AB to ensure that CMMC is applied equally throughout the Defense Industrial Base with consistency and rigor.
The delay in announcing this MOU is due to the Department’s extensive engagement helping protect the force, supporting the whole of government fight against COVID-19, and the 55K service members who remain on the front lines supporting that fight.
CMMC has, and will remain a priority for the Department, and will safeguard our enterprise against cyber theft losses that cost our Nation $100 billion annually, and $600 billion worldwide, equating to 1% of global GDP.
Ms. Katie Arrington, Chief Information Security Officer for the Assistant Secretary of Defense for Acquisition, has continued to work closely and stayed fully engaged with the CMMC-AB and the defense industry.
Cybersecurity Maturity Model Certification
Cybersecurity Maturity Model Certification Accreditation Board