Recently introduced, the Cybersecurity Maturity Model Certification framework will dramatically change the process for IT vendors looking to do business with the Defense Department.
Recently introduced, the Cybersecurity Maturity Model Certification framework will dramatically change the process for IT vendors looking to do business with the Defense Department. Put simply, vendors will no longer be able to self-attest that all necessary controls are either in place or will be in place within a specified time frame; now, they'll be assessed by a third party and issued a level rating.
Greg Thornton with SSE Inc. in St. Louis, MO shares insights into CMMC and what will be required from IT vendors looking to work with DoD.
How does it work?
The Department of Defense is currently setting up the accreditation body that will oversee the program. Sometime this month, they will release the memorandum of understanding and then begin the process of credentialing C3PAOs, the third-party organizations that will assess and certify vendors and then monitor those certifications going forward.
Vendors will be certified on a five-tier system based on their progress toward 173 practices and 43 capabilities. The standards used are based on the National Institute of Standards of Technology, international standards and standards that drive aviation. After compiling all standards, the Pentagon worked through the list to reduce it to those that will be used going forward.
How will it impact IT vendors?
There are both advantages and disadvantages to IT vendors. Right now, if two vendors bid on a single project, the vendor with the lower rate will win. However, what clients can't see is that one vendor has 110 controls in place with the other vendor may only have 80 or 90 controls in place and an action plan in motion for the remaining controls. The current process is deceiving to clients and leaves more qualified vendors with less work, in many cases. The new process brings awareness to the difference between a higher bid and a lower bid, giving qualified vendors a better shot at the projects they want.
However, there are disadvantages. Those lower-priced vendors with fewer controls in place may find it more difficult to compete despite lower bids due to the transparency of the rating system. Additionally, not all vendors are in a position to attain certification due to the commitment required to meet all controls. The Department of Defense does plan to offer scholarships or grants to assist vendors who need it.
Are all vendors impacted?
No. Right now, the certification is required for vendors who want to provide contracted services to the Defense Department. However, those working in tech know how critical it is to be nimble and ready for change all times, and this certification program could easily lay the groundwork for the future. Large organizations may choose to adopt the same standard for increased security, marking the beginning of new expectations across the board when it comes to IT vendor selection.
For this reason, it is in the best interest of IT services vendors to work toward certification whether they plan to work for the Defense Department or not and in the best interest of organizations to consider adopting the same or similar standards.
This article does not necessarily reflect the opinions of the editors or management of EconoTimes.


DOJ Seeks Dismissal of Fraud Charges Against Gautam Adani in U.S. Court
Kuaishou Stock Jumps as Kling AI Secures $2 Billion Funding Round
Anthropic Tightens AI Access Controls After Reports of China-Based Workarounds
Samsung Q2 Profit Hits Record on AI Memory Boom as Shares Tumble
AI Memory Chip Shortage Likely to Persist Despite Korea Investment Boom, Nomura Says
Meta Says States Seek $1.4 Trillion in Penalties Over Teen Social Media Addiction Lawsuit
Foxconn Q2 Revenue Surges Nearly 40% on Strong AI Server Demand
easyJet Agrees in Principle to £5.23 Billion Castlelake Takeover Offer
LG Energy Solution Q2 Profit Plunges 77% Despite Revenue Growth on Weak EV Demand
Apple Expands iPhone Lineup, Boosts Foldable iPhone Production Plans Through 2027
Chinese Copper Foil Maker Londian Files U.S. IPO as EV Battery Demand Grows
Citi Raises TSMC Price Target as AI Chip Demand Strengthens Growth Outlook
Meta CEO Zuckerberg Says AI Agent Development Has Slowed Despite Massive AI Investment
Texas Man Charged After Fatal Tesla Full Self-Driving Crash in Katy
OpenAI Proposes 5% U.S. Government Stake Amid AI Policy Talks
BHP Workers Approve New Labour Agreement at WA Iron Ore Operations 



