The department, which relied heavily on self-inspection of its suppliers in the past, has been criticized by its Inspector General for lax oversight of its suppliers. In a report released in December 2023, Inspector General Robert P. Storch noted that his agency issued five reports from 2018 to 2023 that found that DoD contracting officials had failed to establish procedures to ensure that contractors complied with selected CUI cybersecurity requirements. as required by the . National Institute of Standards and Technology (NIST).
There is no relief from the pressure to conform
With the new law, the CMMC system implements an annual verification requirement that is a key element of monitoring and enforcing accountability for a company’s cybersecurity posture. It also presents Plans of Action and Milestones (POA&Ms). POA&Ms will be issued with certain requirements as outlined in the law to allow the entity to obtain conditional certification for 180 days while working to meet NIST standards.
Despite the introduction of POA&Ms, contractors are concerned about their ability to comply with the requirements of the new law within the time limits they are looking for. “If anyone in the industry was hoping the pressure would ease, I don’t think it was,” said Robert Metzger, chairman of cybersecurity at the law firm Rogers Joseph O’Donnell.
Source link