The Department of Defense is figuring out how to incorporate its Cybersecurity Maturity Model Certification program in contracts offered by the Department of Homeland Security, according to the official helming the initiative.
The CMMC program will ultimately require all defense contractors have their cybersecurity practices certified by a system of independent third-party auditors. As it is now, companies simply pledge their adherence to security controls detailed in standards issued by the National Institute of Standards and Technology.
Rules to implement the program are expected to be finalized as early as next month and have caused some heartburn within the contracting community. But the program is being rolled out in phases—15 prime contractors, and all their subcontractors, are being selected to undergo assessments this year—and won’t be fully applicable until 2025.
Continue reading at: Nextgov