The Pentagon has started its first pathfinder to pilot its new cyber security contracting standards, assessing an existing Missile Defense Agency contract, with plans to begin expanding efforts over the next several months.
Ellen Lord, the department’s top acquisition official, told attendees during a recent Professional Services Council event that the Pentagon is also beginning work this month on constructing a new database for Cybersecurity Maturity Model Certification (CMMC) reports.
Lord said DoD’s Office of the Chief Information Security Officer for Acquisition (OCISO-A) is working with MDA on the CMMC pathfinder for the unspecified existing contracts to ensure the new program’s accreditation body is able to properly assess vendors’ supply chain security standards.
“The pathfinder encompasses acquisition tabletop exercises, training of mock assessors, conducting mock assessments, that are non-punitive, of a prime contractor and three sub contractors on an existing contract and the demonstration of CMMC-AB processes,” Lord said.
CMMC is intended to improve supply chain security by assigning vendors a cyber security certification on a five-point scale, with the program expected to include a total of 10 pilot programs as part of DoD’s phased rollout plan.
OCISO-A is working another DoD agency to initiate a second CMMC pathfinder in September “that conducts an additional non-attribution, non-punitive mock CMMC assessment for a subset of the contractors,” as well as assisting the services on identifying new contracts that could be used for potential pilots.
“These pilots will be implemented on new DoD contracts to further reduce the risk of the CMMC phased roll-out by focusing on the flowdown of controlled, unclassified information and CMMC requirements through the supply chain and conduct of mock assessments,” Lord said.
Lord also noted DISA’s Enterprise Mission Assurance Support Service program office is working in the infrastructure for the new database, which will host CMMC assessment reports and analytics.
DoD is also discussing CMMC implementation efforts with international partners, according to Lord, who said there’s interest in going after similar standards from Canada, the U.K., Denmark, Italy, Australia, Singapore, Sweden, Poland, Israel and the EU’s cyber security body.
“There is potential for these countries to adopt U.S. standards, which is really very exciting,” Lord said.