Ahhh the acronyms! Translated, we have our first "certified" Cybersecurity Maturity Model Certification (CMMC) auditor in the Defense Industrial Base (DIB). Hot off the FEDScoop presses, this is actually pretty big news as you cannot really have a certification if you have no auditors. After getting pilot contracts out, the next step in the CMMC journey is scheduling audits so we are now on our way forward. Who certified the first auditor? The DOD's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) is the agency responsible for approving auditors (and performing audits against the DIB). The CMMC Accreditation Body (CMMC-AB) now needs to grant "the company" Certified Third Party Assessment Organization (C3PA0) and they will be able to officially start assessing.
Yes, "the company" is not named, they are anonymous. Why? My guess is, for the benefit of the assessing company. There are 300k members of the DIB and passing a CMMC L3 assessment will be a competitive advantage. Only certified DIB members can compete for contracts with a CMMC L3 clause.
The article references 2026 as the DOD goal for CMMC requirements in all contracts. This was news to me and continues the very aggressive schedule DOD is following. The majority of the contracts will only require CMMC L1, which is basic cyber hygiene, and not L3 which is required for dealing with Controlled Unclassified Information (CUI). If you are a Data Professional in the MS Government Community Cloud, now is the time to secure your infrastructure and prepare for your CMMC Audit, like the Borg, resistance is futile:
Join me on twitter to discuss this article or anything about SQL Server in the GCC/GCC-H!