DoD and NIST officials provided updates on two nascent programs recently at an Information Security and Privacy Advisory Board meeting: NIST’s new draft cybersecurity guidance for contractor systems deemed “high value assets,” and the Pentagon’s Cybersecurity Maturity Model Certification program. Both are designed to address problems with DoD’s cybersecurity regime for contractors, and both are causing heartburn among companies who are still unclear about how best to comply.
The NIST draft guidance around high value assets recently went out for public comment earlier this year. The more than 600 responses reflect confusion about the scope and application of the requirements. Every individual requirement listed in the draft received more than a dozen comments or critiques.
Defense contractors and experts have also expressed anxiety about how the CMMC will work, how it will apply to their systems, and whether the military can work out the kinks and confusion before a contractor’s certification level begins affecting the kind of procurements it can pursue.
