The Pentagon hopes to have the first class of auditors to evaluate contractors’ cybersecurity ready by April, a top Department of Defense official said March 5.

The auditors will be responsible for certifying companies under the new Cybersecurity Maturity Model Certification (CMMC), which is a tiered cybersecurity framework that grades companies on a scale of one to five. A score of one designates basic hygiene and a five represents advanced hygiene.

Under Secretary of Defense for Acquisition and Sustainment Ellen M. Lord holds a press briefing to update media on acquisition, reform and innovation, at the Pentagon, Washington, D.C., Aug. 26, 2019. (DoD photo by U.S. Navy Petty Officer 2nd Class James K. Lee)
Pentagon finalizes first set of cyber standards for contractors

The Pentagon has finalized the long anticipated cybersecurity standards contractors will have to follow before winning contracts from the Department of Defense, a new process called the Cybersecurity Maturity Model Certification (CMMC) 1.0.

Currently, there are no auditors — known as Certified Third-Party Assessment Organizations (C3PAO) — as the accreditation board came about officially in January.

“Our goal is to have, in late April, our pilot pathfinder on the training for the C3PAOs,” Katie Arrington, chief information security officer for the Office of the Under Secretary of Defense for Acquisition, said at an event hosted by DreamPort in Columbia, Maryland.

The accreditation board is working on training the auditors and the accompanying training materials.

Arrington said just because there aren’t any auditors already working doesn’t mean companies shouldn’t be getting ready.

“You’ve got to get prepared for the audit,” she said. “You should be able to say ‘I think I’ve done my self assessment, I think I’m at this CMMC level.’ Waiting for the audit to come in and then decide to get good or to get on track is not the way I would position my business.”