Dr. Christine Michienzi, the chief technology officer for the Office of the Deputy Assistant Secretary of Defense for Industrial Policy, said while results were coming soon, defense contractors should "continue on" with updates to cybersecurity practices as DOD finalizes its review of its Cybersecurity Maturity Model Certification program.
The Pentagon wants defense contractors to keep pushing forward with preparing for the implementation of the Cybersecurity Maturity Model Certification program despite pending results from its internal review, which could bring significant changes to the program.
Dr. Christine Michienzi, chief technology officer for the deputy assistant secretary of defense for industrial policy, said on Tuesday that "everything is currently under review" from the way CMMC is structured and using third party assessors to certify companies to the cybersecurity levels with which have been rolled out.
"Everything is currently under review to make sure that that is the best mechanism that we can use -- the independent auditors versus [Defense Contract Management Agency] versus self-attestation -- at the different levels and what those levels need to be because the initial levels that were rolled out and [may] need to be revisited," Michienzi said during a fireside chat with former DOD acquisition chief Ellen Lord at the Intelligence and National Security Alliance's Intelligence and National Security Summit on Sept. 13.
When asked what contractors should be doing in the meantime, Michienzi said "continue on with what you're doing -- don't do any major changes -- but the guidance should be coming out shortly."
The comments come after trade associations representing government contractors asked the Pentagon for more transparency with regard to its CMMC reviews in a letter to Deputy Defense Secretary Kathleen Hicks.
"The lack of clarity during the review process has increased uncertainty throughout the [defense industry base] and among commercial vendors seeking to provide covered commercial items. Changes to CMMC, for example, would conceivably impact the timeline, scope and manner of implementation for program requirements," the group said.
Michienzi stressed that CMMC will endure as it is a "methodology to make sure that cybersecurity practices are understood and are being implemented" and the Defense Department wants to hear feedback directly from industry so that lessons learned can be included in the review.