The Defense Department’s Cybersecurity Maturity Model Certification is nearly finished, and its release with a list of accrediting bodies is imminent. But while companies shouldn’t wait until things are finalized to prep for certification, many are hesitant to make major changes to comply.
Corbin Evans, the director of regulatory policy for the National Defense Industrial Association, says that many of their members haven’t determined where they fall in CMMC or what level they will seek. One of the most prominent concerns is the reliability of auditors. There is also concern that DoD officials will manipulate the designation of higher CMMC levels on contracts, either to limit competition to favored vendors or to ensure security beyond its actual needs.