Ask the CIO presents excerpts from a panel about CMMC 2.0 from the AFCEA NOVA Small Business IT Day, featuring Kelly Fletcher and Stacy Bostjanick—each a deputy CIO within the Defense Department—and John Ellis of the Defense Contract Management Agency. Bostjanick said contractors have definitely become more understanding in recent years of the need to protect their data, but many have not yet fully embraced CMMC. Fletcher said that letting contractors self-attest to the their compliance creates a potentially unlevel playing field for contractors who devote the time, attention, and other resources to genuinely secure their data, compared to those that just say they do.
Ellis said that over the last few years, only 25% of the companies they assessed were compliant with the requirements of NIST SP800-171. This is why DCMA is launching an early adopter program, working with companies to work with certifiers on the requirements before they are finalized. Bostjanick said the early adopter program benefits the third-party auditors, DCMA, and contractors because all will get experience with CMMC standards.
Source:
- Federal News Network: CMMC Early Adopter Program to Further Spur Vendor Cyber Actions