The US Department of Defense (DoD) is going through a game-changing reset with respect to the cybersecurity policy and regulations applicable to the contractor and subcontractor ecosystem.
Until as recent as 2019, conventional thought was to adopt a graduated framework of security requirements depending on the nature of the contract and the size and role of a given contractor / subcontractor. Key to this prior approach was relying on prime contractors and sub contractors to self-certify.
In January 2020, industry news broke that the DoD effectively changed its view and mandated that contracts after October 2020 will incorporate formal third-party audits and verification for the entire DoD supply chain, effectively ending the self-certification approach to cybersecurity.
The downloadable .pdf below is a backgrounder prepared for your information based on independent research and presentations and information provided by Katie Arrington, Special Assistant to the Assistant Secretary of Defense for Acquisition ASD(A) for Cyber, and John Weilerof the CMMC Accreditation Body Board and Derek White of the Beryllium Infosec Collaborative on 11 and 4 May 2020 respectively.