A new cybersecurity standard for future Defense Department acquisitions was released in January, and unauthorized third-party entities have since been claiming to provide these certifications to enable contracting with the department, a Pentagon official says.
But these Cybersecurity Maturity Model Certifications are fraudulent — no third-party entities have been authorized and the requirements for becoming a CMMC third-party assessment organization have not yet been finalized, Undersecretary of Defense for Acquisition and Sustainment Ellen Lord said in a March 13 statement.
Lord said she introduced the model last year, and since doing so, has stressed the importance of communicating and engaging with all stakeholders including industry, academia, military services, Capitol Hill and the public to understand concerns and suggestions.
“The purpose of this communication was, and still is, to ensure everyone fully understands the intent, process and requirements of CMMC to fight the very real threats that drive us to require rigorous cybersecurity,” she said.
Still, DOD has learned of third-party entities making public representations of providing these CMMC certifications to contractors looking to work with DOD.
“The requirements for becoming a CMMC third-party assessment organization (C3PAO) have not yet been finalized, so it is disappointing that some are trying to mislead our valued business partners,” Lord added.
In fact, there are no third-party entities at this time capable of providing CMMS certifications that DOD will accept, and only training materials or presentations provided by the department will reflect its official position with the CMMC program.
Lord said she has also reached out to the presidents of the Professional Services Council, the Aerospace Industries Association and the National Defense Industrial Association to make them aware as they remain connected with her CMMC team. And her office will make an announcement with advancements to the certification approval processes.
“Moving forward I am confident we will soon sign a Memorandum of Understanding (MOU) with the Cybersecurity Maturity Model Certification Accreditation Body on the accreditation, certification and approval processes relating to the Defense Supply Chain,” Lord said.