The governing body responsible for implementing the Defense Department’s unified cybersecurity program for contractors expects security procedures for authorized third party assessors to start back up in early 2022. But DOD has the final say on the timeline.
The Defense Department’s unified cybersecurity standard for contractors, the Cybersecurity Maturity Model Certification program, has had a tumultuous 2021. But assessments could resume early next year.
Officials from the CMMC Accreditation Body, the governing organization responsible for implementing the CMMC program, said assessments performed by the Defense Industrial Base Cybersecurity Assessment Center could resume for organizations that will be tasked with evaluating defense companies’ cybersecurity posture.
Jon Hanny, the director of operations and chief information security officer for the CMMC Accreditation Body, said during a Dec. 20 virtual town hall that procedures for certified third-party assessment organizations (C3PAOs) should resume by the end of January. DOD has the final say on the timeline, however.
Organizations that were already in process when DOD paused implementation to restructure the program after a series of reviews have had their assessments rescheduled, Hanny said, and new ones are being added to the queue. Additionally, the DIBCAC process is being updated to reflect the changes made to the CMMC program.
“So the expectation is that everything will be worked out early to mid-January, and then the assessments will resume,” Hanny said, adding that new C3PAOs were being added to the queue as they become ready. “We are ramping up as much as we can,” he said.
Once completed, those organizations should then be able to begin conducting assessments on defense companies. Those assessments, however, would be completely voluntary as the CMMC program goes through the rulemaking process, which could take up to two years.
Matthew Travis, the CMMC accreditation body’s chief executive officer, said moving forward with assessments hinges on DOD giving the “green light.” The timing will also be affected by when the administrative tasks, such as preparing the IT systems assessment organizations will use to upload the assessment data and updated documentation to incorporate program changes, are complete.
“I talked to a C3PAO authorized today, they've got customers ready to go,” Travis said during the town hall. “So when that green light comes on, you're going to see assessments starting.”