Assessors for the new cybersecurity standard for Department of Defense (DoD) contractors have not yet been selected, but a Department of Homeland Security (DHS) official praised DoD’s efforts and said his department is looking toward their example.
The Cybersecurity Maturity Model Certification (CMMC) is DoD’s vehicle for shoring up the cybersecurity of the roughly 300,000 contractors in the defense industrial base. The assessors for the program won’t be trained until later this summer, but DoD is planning on putting the standard into contracts this year.
“It’s been one of the most impressive efforts done by the U.S. government,” said Bob Kolasky, assistant director at DHS’ Cybersecurity and Infrastructure Security Agency’s (CISA) National Risk Management Center (NRMC), of the CMMC. “It really has the potential to change practices across the defense industrial base supply chain.”
Kolasky, who has been a leader on CISA’s Information and Communications Technology Supply Chain Risk Management Task Force since 2018, said DHS is looking at the CMMC as an example.
“We’re looking at them and seeing if there are things that we can do that would be harmonized,” said Kolasky, during an online event June 3 hosted by Sepio Systems, Inc.
Kolasky emphasized the desire to keep costs down and not put additional regulatory burdens on industry.
“Any security regime shouldn’t create too much burden for compliance, where you’re actually spending more money on compliance than security,” said Kolasky, “and I think that’s how we are ultimately going to judge the success of the CMMC.”
The Information and Communications Technology Supply Chain Risk Management Task Force, which Kolasky leads, released a report in September 2019 and is aiming for another report in the late Summer, early Fall, Kolasky said. He expressed a desire for major companies to show leadership in securing supply chains.
“If the big IT and comms companies and their suppliers are out there doing great practices the country is going to be a heck of a lot more secure,” Kolasky said.
Yossi Appleboum, the CEO of Sepio Systems, said technologies that are “made in America,” often have component parts manufactured somewhere else that lead to the insecurity of the final product.
John Miller, a senior vice president of the Information Technology Industry Council and leader on the Supply Chain Risk Management Task Force with Kolasky, said country of origin is just one of many security factors that need to be weighed.
“Country of origin is just one of 188 different supplier-related threats that were identified by the Task Force,” said Miller. “I would urge people not to only focus on country of origin. There is a lot else.”