The third-party board implementing the Department of Defense‘s new cybersecurity standards for contractors finally has a CEO after months of searching.
Matthew Travis, a former deputy director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, has been tapped to lead the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) — the organization tasked with overseeing the ecosystem of assessors who will inspect the IT networks of the 300,000 companies in the defense industrial base.
Travis will lead day-to-day operations of the CMMC-AB, a job that has largely been filled by the AB’s board of directors in the nearly 15 months since it was incorporated.
“We are extremely thrilled to have someone as respected and accomplished as Mr. Travis lead the Accreditation Body,” Board Chair Karlton Johnson said in a statement released Monday. “His organizational development skills as well as in-depth understanding of security and the Federal government will enable us to continue to quickly ramp-up AB operations and execute against our mission in service of the nation’s defense,”
Travis joined DHS in 2018 supporting what was then the National Protectorate and Programs Division — CISA’s precursor. His work to transition and stand up CISA within DHS was an attractive experience for the AB, which is also a rapidly growing organization steeped in government work. Travis resigned from CISA in November 2020 after then-Director Christopher Krebs was fired.
A former naval officer, Travis also served as a White House liaison from the Office of the Secretary of the Navy in the late ’90s. His public resume shows work experience focused primarily on homeland security and counter-terrorism technology.
The AB had been searching for a CEO since the summer of 2020.
“Joining and leading the CMMC-AB is a tremendous opportunity. I look forward to using my collective experiences of running a security company start-up as well as my time at CISA, where I focused on supply chain risk, to ensure we mitigate risks as they relate to both the DoD and the contractor community,” Travis said in a statement. “There is no more important cyber mission right now than building a trusted, verified, and resilient cybersecurity ecosystem within the Defense Industrial Base.”
CMMC is the new requirement the DOD is phasing into contracts to certify companies’ cybersecurity to shore up its supply chain. The new model is a tiered system where contractors will need to pay for an assessment from a CMMC-AB-certified assessor, which will inspect the company’s networks and give it a 1-to-5 score based on the ability to meet the security controls laid out in the CMMC model.
Since CMMC’s initial introduction in 2019, supply chain security has become an increasingly more important topic in defense and government contracting following the SolarWinds supply chain breach that impacted a multitude of government networks.
“When we look at where true cyber risk currently resides, the CMMC mission is a critical component of the safety and security of our nation and its citizens,” Travis said.
DOD officials have spoken previously about their hopes that DHS, Travis’s former employer, will adopt the CMMC model or something similar to it for the supply chain of civilian agencies.