DoD was urged to be flexible
“Many people have urged the DoD to take a more flexible approach,” he continued. “They wanted the minimum score from DOD as needed to approve any POA&Ms. Basically, the DOD says that if the test is done, you must pass 80% of the 110 specified requirements in that special publication. And if you do not exceed 80% of those, you are not eligible for any POA&Ms to close within six months.”
“But still, there are about 45 very important Internet requirements out of that group of 110 that the DOD said you have to meet on the first attempt, or they won’t let you have a POA&M to cover it, if you have an 80% score.
Contractors are urged to start with inspections
Contractors were urged to conduct a CMMC audit within a 60-day period following the publication of the new rule in the Federal Register by Brian Kirk, senior manager of information assurance and cybersecurity at accounting and consulting firm Cherry Bekaert, which is CMMC’s Third-Party Audit Organization (C3PAO ). C3PAOs are independent organizations mandated to evaluate contractors’ cybersecurity practices and controls to ensure they meet the required security standards set by the DOD.
Source link