DoD plans CMMC listening sessions as questions swirl around review
Key Points:
- The Pentagon has initiated a rapid review of the Cybersecurity Maturity Model Certification (CMMC) program, aiming to balance cybersecurity enforcement with reducing compliance burdens on small defense contractors.
- The review, led by Defense Department CIO Kirsten Davies and others, has suspended third-party assessment requirements and seeks input from small businesses and cybersecurity stakeholders, with a report expected by late September.
- Officials criticized the current third-party assessment approach as overly burdensome and are considering a range of changes, from minor tweaks to a complete overhaul, while maintaining self-assessment and existing cybersecurity standards.
- Key challenges include the high cost of compliance for small businesses and a shortage of certified third-party assessors, though the Cyber Accreditation Body reports progress in building assessor capacity and delivering assessments.
- The review revisits issues from previous administrations, with legal experts warning that reliance on self-assessments could increase False Claims Act risks for contractors misrepresenting their cybersecurity status.