Critical Update: Why the Pentagon's Cybersecurity Certification Program Inspires Hope and Fear

[InfoSec News <alerts () infosecnews org>]

https://www.nextgov.com/podcasts/2020/05/critical-update-why-pentagons-cybersecurity-certification-program-inspires-hope-and-fear/165486/

By Mariam Baksh
Nextgov.com
May 19, 2020

The implications of the Defense Department’s plan to subject its suppliers to
independent cybersecurity audits, a program known as Cybersecurity Maturity
Model Certification, apply far beyond the defense industrial base. Contractors
of all shapes and sizes are in a tizzy.

Before the end of the year, the Defense Department intends to finalize a rule
change that will require any contractor it engages with to have obtained a
certification of its cybersecurity practices from an approved external auditor.
The new rule will end the department’s current practice of taking companies at
their word on this.

And Katie Arrington, chief information security officer for DOD’s acquisition
office and the woman heading up the program, likes to remind those who might be
running scared of a certain fact: There’s no escaping CMMC, its adoption or
replication across the federal government and the broader U.S. economy is
inevitable.

“It’s not DOD, that’s one thing I want to make clear,” Arrington says. “This
isn’t just DOD.”

As ambitious as the CMMC seems—the program looks to eventually cover 300,000
contractors and subcontractors—it’s still just a small part of the equation in
emerging U.S. cyber policy.

[...]

--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_