The legislative path for CMMC won’t become clear until requirements enter DFARS at some point in 2020 or maybe early 2021. Until then the programme continues through its planning to develop training materials, assessor guides and accreditation processes. Whether or not you believe it will happen or it will not, what is clear is that the DOD accepts that it must do something to enforce cyber security in procurement processes to protect its IP.
CMMC has always been discussed as an opportunity for other Federal agencies and here is an example where a Federal agency has added CMMC into its procurement processes. It is not clear if the General Services administration has CMMC written into its acquisition standards for Government wide acquisition, and there are certainly no the approved or trained CMMC assessors in place as the CMMC as it currently stands is only focused on DoD.
But it is clear that as an agency GSA believes that CMMC is an important standard and this is a $50Bn contract. Whilst CMMC oversight will be a challenge, it is difficult to role back from a commitment and if this is a sign of what will happen, then other agencies may likely follow, requiring CMMC oversight.
Article by: FedScoop 08.07.2020