Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

GAO: Pentagon Needs Goals to Improve CMMC Framework

The watchdog made several recommendations in an audit of the Cybersecurity Maturity Model Certification effort.

The Defense Department needs to improve communication with industry and develop performance measures regarding its Cybersecurity Maturity Model Certification framework, according to an audit released by the Government Accountability Office Dec. 8.

The audit, which took place over the past calendar year, found the Defense Department is inadequately reviewing CMMC, which was created in 2019 as a means for defense contractors to improve cybersecurity and information security practices through third-party assessments.

The program’s goal was to improve the cyber posture of a Defense Industrial Base that—while supplying hundreds of billions of dollars’ worth of goods and services to DOD—has access to some of the department’s most sensitive unclassified data. But in November, the Defense Department suspended CMMC while signaling major changes for the program. However, GAO’s audit suggests the Pentagon is doing a poor job communicating with industry regarding industry’s concerns about the program or coming changes to it.

“DOD engaged with industry in refining early versions of CMMC, but it has not provided sufficient details and timely communication on implementation,” the audit states. “Until DOD improves this communication, industry will be challenged to implement protections for DOD’s sensitive data.”

The auditors indicate that while the Defense Department has identified plans to assess portions of the five-year CMMC implementation plan, including data collection activities and high-level objectives, “these plans do not fully reflect GAO’s leading practices for effective pilot design.” Auditors called out the Pentagon for failing to define “when and how it will analyze its data to measure performance.”

“Further, GAO found that DOD has not developed outcome-oriented measures, such as reduced risk to sensitive information, to gauge the effectiveness of CMMC,” the audit states. “Without such measures, the department will be hindered in evaluating the extent to which CMMC is increasing the cybersecurity of the defense industrial base.

GAO issued three recommendations to DOD: to improve communication with industry; to develop a plan to evaluate a pilot, and to develop outcome-oriented performance measures. The Defense Department concurred with those recommendations and outlined plans to address them in the CMMC 2.0. 

Source: https://www.nextgov.com/cio-briefing/2021/12/gao-pentagon-needs-goals-improve-cmmc-framework/187429/

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

A top Defense Department official described the private sector as “absolutely essential” in implementing the agency’s new cyber strategy. A top Defense Department official...

Cyber Security

How a cornerstone cybersecurity program has evolved from information collection to active defense. The Cybersecurity and Infrastructure Security Agency has used its Continuous Diagnostics...

Cyber Security

Cybercriminals are increasingly leveraging extreme weather events to launch attacks on critical infrastructure sectors. Cybersecurity experts say critical infrastructure operators can leverage a set...

Cyber Security

A new report says a cyber threat actor within Russia’s military intelligence service leveraged a novel malware campaign targeting Android devices used by the...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO