The Cybersecurity Maturity Model Certification (CMMC) accreditation body is planning to enlist an independent “partner” that will continue evaluating CMMC-authorized contractors that are required to renew their certifications every three years, Nextgov reported Thursday.
Chris Golden, a member of the board for CMMC-AB, said at a SecurityScorecard webinar that the accreditation body is looking into deploying a monitoring tool that utilizes data in the public domain to ensure continuous monitoring of certified companies.
“That’s a snapshot in time, there’s a whole bunch of things that can happen in that three year period,” he noted.
Robert Knake, a senior fellow for cyber policy at the Council on Foreign Relations, said that most CMMC and Federal Risk and Authorization Management Program (FedRAMP) elements can be measured on an automated and continuous basis.
He added that the CMMC program would mostly benefit from tools such as SecurityScorecard's product that can collect internal data on a company’s cybersecurity posture and report it to stakeholders.
“I think we probably won’t see a sensor moving inside the network, I think we probably will see some form of data collector moving inside the network and bringing data out that can tell you where you are and can tell DoD where you are, or other regulators or other third parties,” said Knake.