Pentagon Seeks Continuous Monitoring of Defense Contractors' Cybersecurity

The accreditation body overseeing the Defense Department’s Cybersecurity Maturity Model Certification program—the CMMC-AB—issued a request for proposal that provides insight into how the group plans to keep track of contractors outside of conducting physical audits.

The CMMC will end the DOD’s practice of allowing contractors to “self-certify” their cybersecurity practices. Before the end of the year, the department intends to require companies doing business with the DOD to gain a certificate from third-party auditors that will be valid for up to three years.   

“As part of the CMMC-AB’s efforts to mitigate risks posed to the country through sharing of sensitive information with DOD supply chain partners, a continuous monitoring solution will help fill in the gaps between assessments scheduled for once every three years,” the RFP reads. “The CMMC-AB is issuing this request for proposal to help us identify appropriate partners in our continuous monitoring solution.” 

The CMMC-AB posted the RFP to its LinkedIn page earlier today with a May 1 deadline for responses.

Related: More Industry Regulations Are Needed to Improve US Cybersecurity, Congressional Report Says

Related: Small Contractors Struggle to Meet Cyber Security Standards, Pentagon Finds

Related: Key Defense Supplier Hit by Ransomware

Katie Arrington, chief information security officer for the Defense acquisition office, who has embraced the alternative title “mother of the CMMC,” mentioned the RFP during a webinar today on the DOD’s efforts to help small businesses amid the coronavirus pandemic. 

She was responding to a question about how the coronavirus would affect the timeline for implementing the CMMC. 

Arrington has previously said the program would be unaffected, noting that the training for assessors would largely take place online anyway.

But last week during a Bloomberg Government webinar she conceded the virus is “affecting every aspect of our lives” and that there may be a delay in initial audits by about two weeks.

Today, she seemed to give herself more flexibility but pointed to other areas, such as the CMMC-AB’s RFP, where the program is still moving full speed ahead. 

“The training and the audits are based with a portion in person, and until we get the directive from the president and [Defense] Secretary Esper, we have our stay at home orders and [are] only mission-critical and trying to keep our meetings in-person to a minimal, so stay tuned, we’re still doing our absolute best to stay on track.” 

Arrington said the plan is still to roll out the first class of auditors in late May, early June. The audits have to happen in-person, on-site, she stressed but noted the DOD is working with the “pathfinders” who will undergo the initial reviews.

Inside the Portal

The chief requirements for respondents to the RFP is that the partner entity “accept and secure AB and DOD Intellectual property” and create a secure portal that would allow various stakeholders access to varying degrees. 

According to the RFP, organizations seeking certification, assessors and certified third-party assessment organizations known as C3PAOs “will all utilize the CMMC-AB’s continuous monitoring solution to conduct pre-assessment background research as well as monitor companies between formal assessments.” 

Defense officials have stressed their independence from the CMMC-AB. While the portal should support multi-factor access with the department’s Common Access Card, authorized DOD staff would only have “read only” access. They should, however, be able to “search for and view information on any company in the database and to access aggregated metrics from across all monitored companies and defined subsets thereof,” the RFP states.

Assessors and their C3PAOs, meanwhile, should be able to receive automatic notifications when any company they were responsible for assessing has a security score decrease a specific, to be determined amount, according to the RFP.  

The document also notes that while the CMMC-AB has not decided on a location for its physical headquarters, it has determined it will need to have a physical presence in each of the following regions: California, Texas, Connecticut, Florida, Washington, Pennsylvania, Massachusetts, Arizona and the Washington, D.C. area. 

The CMMC-AB notes a required presence in some international locations, including Germany and Japan. 

Some stakeholders have expressed concern about how the CMMC will apply to multinational companies and subcontractors based outside the U.S. 

A “continuous monitoring solution deployable on a global scale is therefore advantageous,” the group wrote in the RFP.