Last Updated on January 26, 2021
Right now the US Department of Defense (DoD) has two organizations assessing cybersecurity compliance within its supplier base: the CMMC Accreditation Body (CMMC-AB) and the Defense Contract Management Agency (DCMA). The former is charged with auditing suppliers against the new Cybersecurity Maturity Model Certification framework as it gradually replaces the legacy self-attestation regime based on NIST 800-171. The latter has responsibility for verifying NIST 800-171 compliance within current DoD contracts.
How do these two entities relate? And how long will they coexist?
A recent episode of The Virtual CISO Podcast explored these topics with special guest John Ellis, the DCMA’s point person for cybersecurity policy, including its new interim audit program.
“DCMA has been involved in the establishment of CMMC since day one,” John asserts. “We went through the assessment process and figured out how to really work through the methodology and improve it as we went along. We modified our training along the way to ensure that we actually applied those lessons learned.”
“I know that’s a radical thing to say in the government, but we really did endeavor to do that. And we believe we’ve done a pretty good job,” quips John. “So as CMMC has been standing up, we wanted to ensure that they had the benefit of all of that training, all of those lessons learned, all of those hard knocks that we had to figure out the hard way.”
“So our Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) is very much a part of that development team on the CMMC side of things, to ensure that there is that training leverage that we’ve put together, including the actual assessment methodology itself. There is a ton of collaboration,” John reiterates. “DCMA’s been involved in all aspects of the training, in aspects of the mock assessments, in all of those activities that will eventually lead up to the full implementation of CMMC.”
Will the DIBCAC continue to perform NIST 800-171 assessments right through to full CMMC rollout in 2025?
“We’re going to continue to conduct assessments up until some transition point,” John explains. “Until CMMC is kind of up-and-running, we will continue to perform those standard methodology assessments—that is still the requirement.”
John continues: “One thing I want to make sure folks understand, though, is that CMMC is not going to do away with the government assessing programs. So yes, there will be CMMC assessments. But if you guys recall, prior to the standard assessment methodology we started last year, the whole NIST 800-171 clause was based on a ‘trust me’ model. Nobody was really looking… And we are all now aware of some of the incidents that occurred. So we don’t need to go into that.”
“Even once CMMC rolls out, we the government will maintain an ability to independently assess things that are of sufficient priority or of particular interest to the government,” states John. “I think that’s a good, honest broker approach to ensuring that we’re all on the same sheet of music in terms of priorities and the importance of why CMMC and the DFARS 7012 requirements are there.”
“So there will be assessments that are outside of CMMC, based on those DoD priorities,” John clarifies. “DCMA will continue to be part of the valued team that is known as the umbrella of CMMC. We will always be there. We’re kind of like a bad penny: we just keep turning up.”
Not surprising for an entity with 12,000 employees worldwide, whose role is to manage about $8 trillion worth of DoD contracts, and to validate that contractors and subcontractors are conforming to contract requirements.
If your company does business with the DoD, this podcast with John Ellis offers invaluable insight and straight answers to help you prepare to prove compliance with the cybersecurity guidelines in your contract(s).
To hear the show with John Ellis all the way through, and also browse our growing collection of information security podcast episodes, click here.
If you don’t use Apple Podcasts, click here.