CMMC Advisory Board – The Good News First

Stinson - Government Contracting Matters

Stinson - Government Contracting Matters

The Cybersecurity Maturity Model Certification (CMMC) Advisory Board (CMMC AB) made a major announcement on September 16, 2020, announcing that it has trained an initial group of provisional assessors. As an earlier posting explains, the CMMC establishes cybersecurity controls for certification of government contractors from Level 1, the basic set of controls that all government contractors to DoD must meet, to the highest Level 5, controls that contractors with Controlled Unclassified Information (CUI) facing the need for security to address Advanced Persistent Threats (APTs) must meet.

The plan for the CMMC rollout includes the establishment of a neutral body to provide standards and training, certification of third party assessment organizations (C3PAOs), and provision of a marketplace for these assessors to be identified for assessment of a government contractor regarding its compliance with a designated CMMC Level. Contractors that are assessed and then certified by the DoD as meeting the security controls specified for a designated CMMC Level are then eligible to receive an award of a DoD contract that requires certification at that CMMC Level, or other lower CMMC levels. Thus, establishment of a set of assessors deemed qualified to conduct the assessment of contractors for CMMC is a major step.

That said, there is some other news.

First, while DoD initially planned for ten pilot programs to kickoff CMMC, there are only a few so far. The General Service Administration (GSA) has introduced cybersecurity principles into their acquisition programs as well, but the phased in approach to introducing CMMC appears to be slower than initially scheduled.

Second, there has been a significant change in the leadership and membership of the CMMC AB. In its announcement, the CMMC AB advised that Chairman Ty Schieber and Communications Chair Mark Berman are out and Karlton Johnson, previously Vice Chairman, will not assume the role of Chairman. Additionally, to fill some now vacant positions on the Board, Yong-Gon Chon, Sheryl Hanchar, and Charlie Williams have been added as Directors.

Stay tuned for further developments. In the meantime, keep working to comply with the existing in place requirements of FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems and, if you contract with the DoD, DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, including NIST SP 800-171, as applicable. And, start planning for compliance with CMMC certification level requirements!

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Stinson - Government Contracting Matters | Attorney Advertising

Written by:

Stinson - Government Contracting Matters

Stinson - Government Contracting Matters on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.