CMMC-AB’s Matthew Travis Aiming for Early 2022 Launch of Revamped DOD Cybersecurity Program

Matthew Travis, CEO of the Cybersecurity Maturity Model Certification Accreditation Body, is aiming for an early 2022 launch of the interim and voluntary phase of CMMC 2.0.

The Department of Defense’s revamped cybersecurity program is currently under a reboot and it could take between nine and 24 months to get up and running once the rulemaking process concludes.

According to Travis, CMMC 2.0 benefits from a self-attestation rule and the fact that defense companies no longer have to wait for a phase-in piloting period for contracts as required by the original program, FCW reported.

He told the publication that by allowing companies to verify their own cyber defenses, the CMMC program is able to build elasticity. Self-attestation is allowed for all level 1 contracts and some level 2 contracts under CMMC 2.0. It has, however, raised concerns about contractor honesty and a drop in demand for CMMC third-party assessor organizations.

“This is a scalability management mechanism that the department can dial up or dial down. And if there are a very limited number of C3PAOs and assessors, then they’re going to have to probably have more level 2 contracts be designated for self-attestation,” Travis explained.

In assistance of the defense industrial base, Travis said the CMMC-AB will offer level 1 certifications, as a voluntary option, to provide companies an extra layer of assurance. He noted that the move will allow defense contractors to “self-attest with confidence.”

With the CMMC on hold and some rules about its implementation still being kept under wraps, contractors are encouraged to ensure compliance with other relevant cybersecurity standards in the meantime.

For Eric Noonan, the CEO of CyberSheath, that means doing an assessment against the NIST 800-171 standards, among other things.

Sign Up Now! Potomac Officers Club provides you with Daily Updates and News Briefings about Cybersecurity

Join Us Now