With CMMC 2.0, DoD removed process maturity as an assessed requirement. Some commentators are suggesting that NIST 800-171’s “NFO” controls inherently require policies. We explore the requirement in this article.
DoD submitted but quickly withdrew an “advanced notice of proposed rulemaking” entitled “Cybersecurity Maturity Model Certification 2.0 Updates and Way Forward”.
CMMC depends upon Authorized C3PAOs. DCMA’s DIBCAC team plays a crucial role in the C3PAO authorization process. However, the DIBCAC teams’ calendars were already full prior to CMMC. In this article, co-authored with Kyle Lai, Carter Schoenberg, Tony Buenger, and Derek White, we discuss whether the current system is likely to clear the CMMC C3PAO backlog in a timely manner and explore a few alternatives.
Changes to the FAR/DFARS imposed by the recent Executive Order on Increasing our Nation’s Cybersecurity and the expected publication of the Final Rule for CMMC are now both expected in September, although the exact dates are still unknown. With all the expected changes, October promises to be a very busy time for defense contractors!
The CMMC Accreditation Body announced that their June update will be held June 29, 2021 from 6-7 PM Eastern. The (more…)