An internal review of the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) program has been completed, according to Sen. Joe Manchin, D-W.Va., who said he understands that the DoD review will produce “significant” changes to the program.
Sen. Manchin said at a May 18 hearing of the Senate Armed Services Committee’s Subcommittee on Cybersecurity that the CMMC review has been completed by DoD, but that recommendations from the Pentagon are still being finalized.
But, the senator revealed, the DoD review is going to lead to changes to the CMMC program, based on information he has received from Deputy Defense Secretary Kathleen Hicks.
The senator quoted Hicks as saying the program would undergo “significant” modifications as a result of the review. He did not elaborate on the details of any expected changes.
During the hearing, Sen. Manchin keyed in on long-standing cost concerns expressed by smaller companies in the defense industrial base (DIB) for certifying their cybersecurity protections through the CMMC program.
“CMMC is intended to be financially self-sustaining, with companies paying for their assessments and certifications, and those companies then recouping compliance costs as part of their cost estimates to the DoD,” Manchin said at the hearing.
“Industrial base companies, especially smaller contractors are very concerned about the cost involved in regular on-site assessments,” the senator said. In particular, he cited “the complexity of complying with cybersecurity practices that [companies] have difficulty understanding. and the degree of consistency and fairness in assessing compliance across the expected large number of assessing organizations and many tens of thousands of other companies.”
Those types of concerns spurred DoD’s internal review of the CMMC program in late March. The subcommittee initially pushed its CMMC hearing from April to May in hopes of hearing results of the DoD review, and some members expressed dismay this week that the results of the review were not ready for unwrapping.
With a new administration taking over and continued worries about the CMMC process expressed by DIB companies, DoD’s review was initiated to look for “potential improvements,” a DoD spokesperson told MeriTalk at the time.
“In light of increasingly frequent and complex cyber intrusion efforts by adversaries and non-state actors, the Department remains deeply committed to the security and integrity of the defense industrial base,” agency spokesperson Jessica Maxwell said in a March 31 statement. “As is done in the early stages of many programs, the DoD is reviewing the current approach to CMMC to ensure that it is achieving stated goals as effectively as possible while not creating barriers to participation in the DoD acquisition process.”