Six technology trade associations have asked the Department of Defense to consider their recommendations and respond to their queries with regard to the implementation of the Cybersecurity Maturity Model Certification program.
The trade groups presented their suggestions in a Thursday letter addressed to Ellen Lord, defense undersecretary for acquisition and sustainment and a 2020 Wash100 award winner, and Katie Arrington, chief information security officer and fellow Wash100 recipient.
The associations said they believe the establishment of a new third-party auditing process to advance enterprise-scale audits this year is “very ambitious” and that DoD should provide more clarity about the applicability and scope of the cyber framework if it intends to meet the timeline.
The Alliance for Digital Innovation, BSA: The Software Alliance, Cybersecurity Coalition, Information Technology Industry Council, Internet Association and the Computing Technology Industry Association urged the Pentagon to ensure that prime contractors, procurement officials and system integrators have enough knowledge of the certification requirements to “understand what needs to flow down to subcontractors, and at what specific CMMC level.”
The department should align CMMC with the Federal Risk and Authorization Management Program, Cloud Computing Security Requirements Guide and DFARS 252.204-7012. “Allowing for reciprocity with other cybersecurity requirements will reduce the cost and administrative burden of compliance and allow DoD to achieve its cybersecurity goals on a quicker timeline,” the groups wrote in the letter.
Other issues raised by the associations in the letter are consistency in procurement requirements, scope of coverage, certification in complex environments and clarification on how CMMC assessment priorities will be established.