The Department of Defense (DoD) released the final version of its Cybersecurity Maturity Model Certification (CMMC) in January 2020, but without certification processes in place, third-party entities are offering fraudulent CMMCs to contractors interested in working with the department.
The guidance, which aims to certify DoD contractors’ cybersecurity practices and bolster supply chain security, is not required to be implemented for requests for information until June 2020 and for requests for proposals until September 2020. Lord explained that the CMMC third-party assessment organization has not yet been finalized and, therefore, no third-party entity has the ability to grant CMMCs.
“There are no third-party entities at this time who are capable of providing a CMMC certification that will be accepted by the Department,” she said in a National Defense Industrial Association statement. “At this time, only training materials or presentations provided by the Department will reflect our official position with respect to the CMMC program.”
DoD is planning to sign a memorandum of understanding on the CMMC accreditation, certification, and approval process for the defense supply chain. Stakeholders can expect an announcement from the agency when that occurs.