Industry groups are pressing Deputy Secretary of Defense Kathleen Hicks and the Department of Defense (DoD) to publicly reaffirm the Pentagon’s commitment to is Cybersecurity Maturity Model Certification (CMMC) program.
In a Sept. 8 letter from the Information Technology Industry Council, National Defense Industrial Association, and the Professional Services Council, the groups ask the DoD for more regular industry input on the program, and said public comment would also quell some uncertainty in the defense industrial base community about the program.
“We believe it is important for the Department to remain publicly committed to the CMMC program to underscore the program’s importance for national and supporting global cyber ecosystems,” the groups wrote. “This public commitment should be communicated promptly and is particularly important in the context of 2 the Department’s continued internal review, updates to SPRS (Supplier Performance Risk System) tracking and reporting, and the pending publication of the Government Accountability Office’s (GAO) report on CMMC.”
In addition to suggesting increased industry input, the groups also suggest that DoD place any requirements from CMMC and related contractual clauses in line with any future cybersecurity directives, and clarify exactly which intergovernmental authorities are responsible for implementing the CMMC program and any other related cyber requirements.
The groups said their concern stems from the idea that without such public commitment, companies will continue to delay important cybersecurity practices until they have a better idea of the full requirements.
The program has been under an internal review since March 31 and – despite Sen. Joe Manchin, D-W.V., saying the review was completed in May – there has been no public announcement of the review’s status or any changes coming down the pipeline.