“After DoD announced that it was planning on rolling out CMMC as a pilot requirement for up to 15 contracts for FY2021, a lengthy internal review of the program ultimately led to the postponement of those pilots. The review concluded in early November, leading to the announcement of CMMC 2.0 with simplified requirements for Defense Industrial Base (DIB) contractors.
‘DoD began implementing CMMC in September 2020 through an interim rule (effective November 30, 2020) and is currently in the 5-year pilot phase leading to full CMMC implementation,’ the report says. ‘However, implementation of the pilot has been delayed and the program has not met its fiscal year 2021 goals. DIB companies have also expressed a broad range of concerns about CMMC implementation, such as costs to support assessments, reciprocity with other cybersecurity certifications, and assessment consistency.’…”
“GAO says that currently just five organizations have been certified as third-party assessors by the CMMC-Accreditation Body (CMMC-AB), while more than 190 organizations are currently awaiting a DIB Cybersecurity Assessment Center assessment. This has led to only assessment organization being examined, it said.
With the delay, program officials told GAO that the under secretary of Defense will release a memo towards the beginning of each fiscal year that defines the target number of pilots contracts for that year. DoD currently said it ‘has not yet determined the structure and scope of any pilot under CMMC 2.0,’ according to GAO…” Read the full article here.
Source: GAO Knocks DoD on CMMC Implementation Goals, Communications – By Lamar Johnson, December 9, 2021. MeriTalk.
