Richard Beutel: The feedback were getting from the companies is that the DOD is pushing a lot of the administrative and policy development back on the companies and expecting them to do the hard administrative and programmatic development that this program needs. The question I have is how is that going to work? The companies are being asked to embrace a new regulatory framework and set up a program office, basically. So it’s a concern. We don’t want CMMC to become another obstacle.
I was hearing there was a lot of shock and dismay from the companies that they were being asked to set up to such a burdensome series of requirements.
Mike Hettinger: The CMMC is a whole of company thing. FedRAMP was very product focused. I will take this specific product through the FedRAMP process and agencies can presumably use it. With CMMC it’s about the whole corporate environment being cyber secure.
That was from a discussion on Government Matters, “Updating the Federal Risk Authorization and Management Program.”
The FedRAMP Program Management Office was set up back in June 2012, and to date Hettinger says that only 120 products have become FedRAMP certified.
The Cybersecurity Maturity Model Certification (CMMC) is separate from FedRAMP. It is a “go/no go” requirement. If the contractor isn’t CMM certified at the appropriate level, then ostensibly it won’t receive a contract. That mirrors the way the UK is approaching cybersecurity.
CMMC is slated to start appearing in contract RFPs starting September 2020. Hettinger expects that because CMMC will require a year or more of work by contractors, meaning that will be a delay in seeing CMMC in RFPs.
One open question is whether the prime contractor will have to ensure that its subcontractors, to some level down the supplier tiers, are also CMM certified. If the DOD takes digital engineering seriously, then one would expect that many layers of subcontractors will have to integrate into a cybersecure framework or else be misaligned with the development process.
Leave a Reply