Even before its official launch, the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) program is generating additional interest in its applicability for non-defense sectors, panelists said at the CISQ Cyber Resilience Summit.
The CMMC program – which is set to take effect Nov. 30 – aims to improve DoD supply chain security by requiring third-party assessments of cybersecurity practices among the Defense Industrial Base, which numbers more than 300,000 companies.
During a discussion at today’s CISQ event, panelists were asked how good a fit the CMMC program might be for improving security in civilian government supply chains.
John Weiler, board chairman at the CMMC Center of Excellence, said that Federal agencies including NASA and the General Services Administration (GSA) have “already reached out” to their contractors “to get ready for the CMMC standard.”
Weiler also indicated that his organization has received some indications of interest from parties in Europe in a standard similar to CMMC. He said that thinking about migrating the program to different sectors needs to include dealing with limitations of the program, and added his group is looking at the “entire ecosystem” in that regard.
Speaking on the same panel, Robert Morgus, Senior Director at the U.S. Cyberspace Solarium Commission, said that CMMC has the potential to become a consolidator of supply chain security standards. He opined that CMMC “would benefit the entire government,” including state and local entities, if it was used in the civilian government market.