Georgia Tech Procurement Assistance Center

CMMC announces new advisory council to collect industry feedback

By

The governing body for the Defense Department’s cybersecurity compliance program has launched a new organization charged with getting defense contractors’ feedback on the implementation process.

The CMMC advisory council will “provide a crystallizing, unified voice” for defense contractors seeking certification and “supply key feedback, input, and recommendations for implementing CMMC” said Karlton Johnson, the chair of the CMMC Accreditation Body.

The council is separate from the board of directors and will operate between the defense industry base, the CMMC Accreditation Body, and the Defense Department.

Continue reading at:  FCW

What is CUI – The devil is in the details

By

Controlled unclassified information (CUI) is defined, in part, as “information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”

Despite this seemingly straightforward definition, identifying CUI has been a challenge for the government and contractors.  This challenge has become particularly evident as the Defense Department implements its interim rule to the Defense Federal Acquisition Regulation Supplement to protect CUI through a mandatory Defense Department assessment methodology and through a slow rollout of its Cybersecurity Maturity Model Certification program.

Continue reading at:  National Defense Magazine

DoD initiates CMMC review

By

When the Defense Department confirmed that Deputy Secretary Kathleen Hicks decided to review the Cybersecurity Maturity Model Certification (CMMC) program, initial reactions were mixed.

Some experts said this is a significant sign that the Biden administration wants to rethink major aspects of CMMC.

Others say it’s a perfunctory review and one any new administration would undertake given the importance of the program.  They say these reviews likely are happening across DoD.

Continue reading at:  Federal News Network

See also this article in FedScoop:  CMMC is under an internal DoD review

Matthew Travis hired as CMMC Accreditation Body CEO

By

The third-party board implementing the Department of Defense‘s new cybersecurity standards for contractors finally has a CEO after months of searching.

Matthew Travis, a former deputy director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, has been tapped to lead the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) — the organization tasked with overseeing the ecosystem of assessors who will inspect the IT networks of the 300,000 companies in the defense industrial base.

Travis will lead day-to-day operations of the CMMC-AB, a job that has largely been filled by the AB’s board of directors in the nearly 15 months since it was incorporated.

Continue reading at:  FedScoop

Tips to prepare for a first CMMC assessment

By

With cyberterrorism acknowledged as an ever-increasing threat to national security, it came as no surprise when the Defense Department last year introduced a more robust cybersecurity framework in the form of the Cybersecurity Maturity Model Certification (CMMC).

Businesses must meet one of five levels of certification, with the new standard already required for certain defense contracts, while the planned five-year rollout aims to ensure that, by 2026, all government defense work will include the CMMC requirement, impacting more than 300,000 contractors.

Preparation is the key to success.  The sooner a company begins preparing for a CMMC third-party assessor organization, or C3PAO, to come in, the smoother its progress along the journey will be.

Continue reading at:  National Defense Magazine

Podcast: CMMC, and transitioning to the new requirements

By

Everyone knows that DoD gets thousands of attacks every day.  These attacks are getting more creative by attacking DoD’s trusted supply chain.  The SolarWinds incident is an example of how a trusted software supplier was shown to have been compromised.

To control some of these creative attacks, DoD has created the Cybersecurity Maturity Model Certification (CMMC) that companies who do business with DoD may need to comply with to continue to do business with the DoD in the future.

The Federal News Network recently held a podcast with John Gilroy and FedHIVE CEO Michael Cardaci, who talked about ways to smooth the transition to the Cybersecurity Maturity Model Certification or CMMC.

Listen to the Podcast at:  The Federal News Network

GSA signals increased cybersecurity requirements in civilian IT GWACs

By

The General Services Administration (“GSA”) is including language regarding cybersecurity requirements in requests for proposals relating to certain IT governmentwide acquisition contracts (“GWACs”).  Certain requirements will be modeled on those the Department of Defense (“DoD”) is including in its contracts as part of the Cybersecurity Maturity Model Certification (“CMMC”) program.

The GSA confirmed recently that businesses preparing to submit proposals in response to two proposed GWACs (Polaris/Stars III) should expect to see Cybersecurity Maturity Model Certification (“CMMC”) level-specific requirements in certain subsequent orders issued against those contracts.  Speaking at a recent event, Keith Nakasone, deputy assistant commissioner for IT acquisition at the GSA, explained that these new CMMC requirements will be incorporated at the order level rather than the contract level, in order to introduce flexibility in addressing unique needs and bolster an agile framework.

Continue reading at:  JD Supra

A related article can be found at FCW:  https://fcw.com/articles/2021/02/17/cmmc-gsa-gwacs-get-ready.aspx

GSA preps guidance for using CMMC in civilian contracts

By

The General Services Administration wants to get ahead on training and education materials contracting officers will need as Cybersecurity Maturity Model Certification requirements become standard in government contracts.

Keith Nakasone, the GSA’s deputy assistant commissioner for IT acquisition, said the agency is developing ordering guides for contracting officers who use government-wide acquisition contracts (GWACs).

“We know that training is going to be required as we go through this process with our Department of Defense partners,” Nakasone said during an AFFIRM event on CMMC on Feb. 17.  “So as we move forward, we want to present an ordering guide where we have created templates, some guidance in our ordering process [on] how to use the GSA contract.”

Continue reading at:  FCW

CMMC reciprocity in sight for 2021

By

The Defense Department is still figuring out how to save contractors money with its unified cybersecurity standard by authorizing reciprocity for multiple government certification programs, but an answer could come by the end of the 2021 fiscal year.

One of the key pledges DOD needs to fulfill for its Cybersecurity Maturity Model Certification program is building on work contractors have already done to meet security requirements for programs like the Federal Risk and Authorization Management Program (FedRAMP).

Stacy Bostjanick, CMMC’s director at the Defense Department’s Office of the Undersecretary of Defense for Acquisition and Sustainment, said a team is working with the General Services Administration and DOD to align the requirements, methodologies, and levels of the two programs.

“FedRAMP allows for [plans of action and milestones] and CMMC does not,” Bostjanick said Feb. 10 during an AFCEA NOVA event on IT and the intelligence community.  “You’ve either got it or you don’t.”

Continue reading at:  FCW

Final rule, formal training on CMMC could hit this summer

By

A final rule on the Defense Department’s unified cybersecurity standard could debut as soon as this summer, defense officials said.  But implementation hinges on standing up a formal training system.

Diane Knight, who is DOD’s lead for the Cybersecurity Maturity Model Certification program’s pathfinders and pilots, said a final rule could roll out as soon as April but wouldn’t confirm a concrete timeline.

“There will be a final rule and we have that identified on schedule coming up here too,” Knight said Jan. 26 during a virtual town hall hosted by the CMMC Accreditation Body (AB).

Knight also previewed a “notional” timeline for the pilots where requests for proposals would be released in April and awards coming in August.  By April contractors seeking to participate in the pilots would be expected to have prepared for a CMMC assessment, reviewed requirements with subcontractors and to request an authorized third-party assessors (C3PAOs) assessment.  Proposals would be due by July, according to the documents, and a certification would be needed when the contract is awarded.

Continue reading at:  FCW

Contracting News

Read More

Contracting Tips

Read More

GTPAC News

Read More

Georgia Tech News

Read More