The Department of Defense is making progress on both its Cybersecurity Maturity Model Certification (CMMC) and a new policy on software development in the department, said Ellen Lord, undersecretary of acquisition at the Pentagon, in a press conference today.
Lord announced that the department received over 2,000 comments on version 0.4 of the CMMC, released for public comment in September. The model, being developed in partnership with experts at Johns Hopkins and Carnegie Mellon, establishes five levels of maturity across 18 domains and many capabilities. The certification accreditation will be run by a nonprofit organization – a request for information is out for that organization.
“The CMMC establishes security as the foundation to acquisition, and combines the various cybersecurity standards into one standard,” she said.
Lord noted that the project remains on its timeline – the department plans to finalize the model by January 2020, and begin implementing it as a requirement in June 2020. Lord also noted that version 0.6 will be released for public comment during the first week of November.
“We are looking to roll CMMC out in a strategic manner and will focus on our critical programs and technologies,” she added.
Lord also announced that the department is changing its approach on software development by implementing the recommendations from the Defense Innovation Board’s report on the subject from May. The new approach will take the form of an interim policy and will be released soon, although Lord did not provide a timeline.
The policy will focus on promoting agile development practices and will establish a software acquisition pathway within the department. Lord noted the new path will place an emphasis on user feedback, continuous delivery from contractors, and include a risk management framework
“The key tenants include [that it] simplifies the acquisition model to continuous integration and delivery of software capabilities on timelines relevant to the warfighter and the end-user,” she said.