The Information Technology Industry (ITI) Council, National Defense Industrial Association (NDIA) and the Professional Services Council (PSC) have presented six recommendations to the Department of Defense (DOD) to better support the review of potential changes to the Cybersecurity Maturity Model Certification (CMMC) program and assessment practices.
PSC, NDIA and ITI wrote in a Wednesday letter to Kathleen Hicks, deputy secretary of DOD and a 2021 Wash100 Award winner, that the Pentagon should facilitate regular engagement with industry to improve the CMMC program and implementation of the requirements by creating a government-industry advisory board that would host monthly meetings.
The trade groups called on DOD to improve and standardize the marking practices for controlled unclassified information requiring protection and harmonize CMMC requirements with current and future federal cybersecurity directives to drive the implementation of a holistic risk management strategy.
“To that end, we encourage DoD to issue authoritative guidance on reciprocity with existing certifications and to harmonize not-yet implemented security requirements as appropriate,” the letter reads.
The three industry associations also recommended that the Pentagon clarify intergovernmental authorities for CMMC implementation; provide small businesses with additional implementation guidance and support; and assess and clarify remaining policy and process questions concerning the implementation of the Defense Federal Acquisition Regulation Supplement in relation to the CMMC program.
“With urgency and criticality, if DoD is considering major changes to CMMC, we strongly recommend that these be aired with industry before any final decisions are made since it is industry that bears the responsibility to meet the Department’s security requirements,” the letter notes.
ExecutiveBiz, sister site of GovConDaily and part of the Executive Mosaic digital media umbrella, will host a virtual event about securing the supply chain on Oct. 26. Visit ExecutiveBiz.com to sign up for the “Supply Chain Cybersecurity: Revelations and Innovations” event.