The Pentagon hopes to have the first class of auditors to evaluate contractors’ cybersecurity ready by April, a top Department of Defense official said March 5.
The auditors will be responsible for certifying companies under the new Cybersecurity Maturity Model Certification (CMMC), which is a tiered cybersecurity framework that grades companies on a scale of one to five. A score of one designates basic hygiene and a five represents advanced hygiene.
Currently, there are no auditors — known as Certified Third-Party Assessment Organizations (C3PAO) — as the accreditation board came about officially in January.
“Our goal is to have, in late April, our pilot pathfinder on the training for the C3PAOs,” Katie Arrington, chief information security officer for the Office of the Under Secretary of Defense for Acquisition, said at an event hosted by DreamPort in Columbia, Maryland.
The accreditation board is working on training the auditors and the accompanying training materials.
Arrington said just because there aren’t any auditors already working doesn’t mean companies shouldn’t be getting ready.
“You’ve got to get prepared for the audit,” she said. “You should be able to say ‘I think I’ve done my self assessment, I think I’m at this CMMC level.’ Waiting for the audit to come in and then decide to get good or to get on track is not the way I would position my business.”
If all goes according to plan, all new contracts in 2025 will feature the security requirements.
Arrington also suggested that the framework has received interest outside the DoD.
“Do I think that other federal agencies are getting on board? Yes they are. They’re waiting for me to get through my pathfinder,” she said.
She also referred to comments made by Under Secretary of Defense for Acquisition and Sustainment Ellen Lord, who explained nearly a dozen nations and international organizations are interested in adopting CMMC.