The Pentagon said Monday the accreditation board for the department’s new cyber security contracting standards is expected to open registration later this week for organizations interested in serving as a third party auditors for the new program.
The department noted officials leading the Cybersecurity Maturity Model Certification (CMMC) effort signed a memorandum of understanding on March 23 that DoD “will only accept certifications from an assessor or a CMMC Third Party Assessment Organization (C3PAO) who has been accredited for assessments” by the accreditation board.
“Assessments from non-CMMC-AB accredited organizations will not meet the standard for contract award under the CMMC stipulations,” department officials wrote.
CMMC is intended to improve supply chain security by assigning vendors a cyber security certification on a five-point scale, and will begin with a phased rollout starting with 10 pilot programs this summer.
Pentagon officials detailed the role of the CMMC accreditation board in January, noting the independent body is tasked with training third-party organizations interested in serving as C3PAOs (Defense Daily, Jan. 31).
“I believe it is absolutely critical to be crystal clear as to what expectations for cyber security are, what our metrics are and how we will audit for those expectations,” Ellen Lord, the department’s top acquisition officials, told reporters in January. “Conflicts of interest will be a point of emphasis in the memorandum of understanding, helping ensure auditors cannot review one’s own company, for example.”
The Pentagon has previously appointed Ty Schieber, senior director of executive education at the University of Virginia Darden School Foundation, to lead the CMMC accreditation board.