The Department of Defense (DoD) Inspector General (IG) announced last week that it plans to conduct an audit into the Cybersecurity Maturity Model Certification (CMMC) program – the Pentagon’s high-profile contractor cybersecurity program.
The objective of the audit is to determine whether DoD’s CMMC program adequately meets the department’s cybersecurity needs and accreditation requirements, the notice says.
The CMMC framework seeks to help assess defense contractors’ compliance with cybersecurity requirements to protect Federal contract data and controlled unclassified information from advanced persistent threats and other cyberattacks.
The DoD plans to begin including CMMC in contracts late next year.
Deployment of DoD’s cyber compliance program has been delayed several times as the department continues to revamp the details and requirements of the program.
In September 2020, DoD published an interim rule that implemented the DoD’s initial vision for the CMMC program. The Pentagon first expected that the CMMC would be an interim final rule, but the proposed rule involves a more extensive comment and feedback process.
In March 2021, the department initiated an internal review of CMMC’s implementation to refine policy and program implementation. In November 2021, the Pentagon introduced the second iteration of CMMC, which simplifies program standards and clarifies cybersecurity policy, regulatory, and contracting requirements.
CMMC requirements are still in the rulemaking process. In late July 2023, the DoD submitted its proposed rule to implement the CMMC 2.0 to the Office of Management and Budget for review.
Specific details of what is inside the proposed rule have not been made publicly available.
