The Department of Defense advises companies to first assess themselves for compliance with the Cybersecurity Maturity Model Certification (CMMC) requirements, as certified CMMC assessors are still not ready to audit for the program, FedScoop reported Wednesday.
Stacy Bostjanick, a DOD official working on CMMC, said companies looking to receive early CMMC approval may first test their own network security, while no existing certified third-party assessor organization or C3PAO is prepared to conduct assessments.
Bostjanick noted that she expects several C3PAO companies to have completed the needed accreditation by early summer. Kratos Defense and Security Solutions is among the first few companies that have received accreditation to become a C3PAO.
The five-tier CMMC model is made to standardize the security controls of controlled unclassified information within the defense industrial base.