The Pentagon’s small business office is polling companies about their readiness to meet the Cybersecurity Maturity Model Certification requirements, with CMMC set to officially become a contracting requirement next week.
The Defense Department Office of Small Business Programs released a new pulse survey on CMMC compliance last week. The goal is to evaluate CMMC readiness, concerns and challenges.
“This short survey will help us better understand how small businesses are navigating these changes so we can tailor our support, resources, and guidance to better meet your needs during the transition,” the survey website states.
The survey comes on the eve of the CMMC acquisition rule becoming effective Nov. 10. DoD already finalized the CMMC program rule last year, but evaluations done under the program to date have been voluntary.
With the acquisition rule entering into force, DoD will start including CMMC requirements in contracts.
Concerns about the impact on small business have shaped the CMMC program since its beginning. Last year, the Small Business Administration’s Office of Advocacy publicly flagged concerns about companies’ ability to comply with CMMC.
The goal of CMMC is to ensure defense contractors are following existing requirements for protecting controlled unclassified information, including through third-party evaluations. During the first year of the program’s effective date starting Nov. 10, however, the Pentagon will mostly feature less arduous CMMC self-assessment requirements in contracts.
The government shutdown is not expected to change the effective date of the program, according to Matthew Travis, chief executive officer of the Cyber Accreditation Body.
“Even if the government is shut down, the rule enters into effect,” Travis said last week at Palo Alto Networks’ public sector conference. “There won’t be any contracting officer to enforce it at the time, but CMMC is here.”
CMMC by the numbers
Travis said nearly 500 organizations have received a level two certification involving an evaluation done by a CMMC third-party assessment organization, or C3PAO. The Cyber AB oversees the accreditation of C3PAOs.
During a separate townhall hosted by the Cyber AB last week, Travis said that the group has now trained 567 CMMC certified assessors, including 331 lead CCAs.
The number of assessors will be crucial as the Pentagon ramps up CMMC third-party assessment requirements to tens of thousands of defense contractors in the coming years.
A ‘global program’
While the program was created for DoD contractors, Travis said CMMC “increasingly is becoming a global program.”
Travis said the program will eventually have foreign C3PAOs and assessors to help evaluate DoD’s global supply chain.
“In some cases, there are non-U.S. companies that are prime contractors themselves. They’re going to have to meet CMMC standards,” Travis said.
Pentagon officials hope other federal agencies and international partners will also adopt the CMMC standards.
“I do think this is blazing the trail that others will fall behind,” Travis said. “When you think about how the government can manage the digital risk of its industry partners, when you think about the collective risk that exists in the cyber domain, there really isn’t many other options for government at the federal level, state, local internet, other than to require some standards for cyber security and then certification of those.”
Earlier this year, the Federal Acquisition Regulation Council proposed a new rule to establish uniform requirements for handling CUI. The requirements are based on the same standards as CMMC, though the proposed FAR rule doesn’t mention CMMC or even third-party enforcement.
Meanwhile, the Department of Homeland Security in 2023 rolled out its own contractor cybersecurity evaluation approach. A DHS official at the time said CMMC “wouldn’t really work with our industry base.”
But Travis said CMMC could draw interest from other agencies amid persistent concerns about contractors protecting sensitive data.
“CMMC is the most ambitious cybersecurity conforming regime yet attempted,” he said. “And I think it’s going to get even bigger when you see other departments saying, we need that verified trust from our contracting partners to ensure that when we give them our critical information, that we know that they’re certified, there’s a reasonable expectation that that data will be protected.”
The post Pentagon looks to get pulse of small businesses as CMMC looms first appeared on Federal News Network.