The Department of Defense will publish the second draft of its newly created Cybersecurity Maturity Model Certification early next month.
“We are looking to roll CMMC out in a strategic manner, and will focus on our critical programs and technologies,” Lord said.
DOD issued version 0.4 of the framework, the first publicly released, last month. CMMC is meant to secure the defense supply chain by requiring contractors of all sizes to meet cybersecurity standards set out as a basic requirement in contracting language.
Already, DOD has received more than “2,000 comments, which are being reviewed and used to help tailor the final model,” Lord said.
The official framework, version 1.0, will drop January 2020, Lord said. Then, the first requests for information to include the CMMC language will come June 2020, with the final request for proposals later that fall, she said.
“We in the DOD will continue to work with the defense industrial base to ensure that the supply chain and the interested parties are informed, prepared and properly positioned,” Lord said.
DOD is also searching for a nonprofit entity to serve as the accreditation body for the CMMC program.
Trusted Capital Marketplace drone event next month
Next month, Lord’s team will also host the first event around its new Trusted Capital Marketplace — what she called a ” public-private partnership that will convene trusted sources of private capital with innovative companies critical to defense industrial base and national security.”
The Nov. 13 event, co-sponsored by Texas A&M University, will focus on small unmanned aerial systems (UAS) and counter-UAS technologies.
The university, Lord said, will host a website taking submission applications to join the event, which will have “about 75 slots open for industry, and then slots open for capital providers” given out on a “first-come, first-serve basis.”
During the press conference, Lord also detailed the Pentagon’s current use of waivers for military services to use DJI brand drones that are otherwise banned by the department over cybersecurity concerns and allegations of links to the Chinese government. She said, yes, the services do grant waivers, but the DJI drones are not used in the field.
“The reason that we write some waivers for these is to have them used on ranges, in highly controlled conditions to test our counter-UAS capability so those are used as targets,” she said. “We are not authorizing utilization of Chinese drones out in the field. We are using them for targets.”