Under Secretary of Defense Ellen Lord statement on misleading cybersecurity certification information
Statement from Under Secretary of Defense Ellen Lord:
Since I introduced the Cybersecurity Maturity Model Certification model last year, I have consistently stressed the importance of communicating and engaging extensively with industry, academia, military services, the Hill and the public to hear their concerns and suggestions. The purpose of this communication was, and still is, to ensure everyone fully understands the intent, process and requirements of CMMC to fight the very real threats that drive us to require rigorous cybersecurity.
Unfortunately, the Department has learned that some third-party entities have made public representations of being able to provide CMMC certifications to enable contracting with DoD. The requirements for becoming a CMMC third-party assessment organization (C3PAO) have not yet been finalized, so it is disappointing that some are trying to mislead our valued business partners. To be clear, there are no third-party entities at this time who are capable of providing a CMMC certification that will be accepted by the Department. At this time, only training materials or presentations provided by the Department will reflect our official position with respect to the CMMC program. I have also reached out to the presidents of the PSC, AIA and NDIA industry associations to make them aware as well, and they remain connected with my CMMC team.
Moving forward I am confident we will soon sign a Memorandum of Understanding (MOU) with the Cybersecurity Maturity Model Certification Accreditation Body on the accreditation, certification and approval processes relating to the Defense Supply Chain. When that happens we will make an announcement.