Ellen Lord, the Defense Department’s (DoD) undersecretary of Defense for Acquisition and Sustainment, provided updates on August 13 on pathfinder projects and database construction for DoD’s Cybersecurity Maturity Model Certification (CMMC) program that aims to strengthen cybersecurity throughout the U.S. defense industrial base (DIB).
Speaking at an event organized by the Professional Services Council, Lord said that DoD’s Office of the Chief Information Security Officer for Acquisition (OCISO-A) and the Missile Defense Agency are completing a CMMC assessment pathfinder project on an unidentified existing contract. The project involves acquisition tabletop exercises, training of mock CMMC assessors, and mock assessments of a prime contractor and three subcontractors.
She said OCISO-A and an unidentified DoD “stakeholder” will begin a second CMMC assessment pathfinder project next month on another existing contract, and that the office is looking for more contracts on which to conduct CMMC pilot projects.
The pilots, she said, “will be implemented on new DoD contracts to further reduce the risk of CMMC phased rollout, by focusing on the flow-down of controlled unclassified information … and CMMC requirements through the supply chain and conduct of mock CMMC assessments.”
Finally, Lord said DoD is now working with the Defense Information Systems Agency’s (DISA) Enterprise Mission Assurance Support Service to develop CMMC EMASS – which is intended to serve as the infrastructure for CMMC assessment reports, certificates, and data analytics. Initial development of CMMC EMASS is scheduled to start this month, she said.