Bottleneck Emerges in DOD’s Contractual Cybersecurity Program

Companies in line to become the authorized assessors for the DOD’s supply chain cybersecurity program are facing a new roadblock up their hands. The bottleneck that is troubling them is getting and passing an assessment of their own.

It not only infuriates and agitates the companies who are in line to integrate their efforts for the DOD’s lucrative program but also threatens to complicate the timeline for implementing a critical DOD’s initiative. The CMMC program requires every defense contractual base to hire a license assessor to inspect its networks, something that has to be abided by the rules. The DOD’s cannot continue in case there is no fully licensed assessor available to hire.

There’s a bottleneck in licensing assessors under the DOD’s Cybersecurity Maturity Model Certification (CMMC), according to multiple organizations waiting to go through the process. “There is…a little bit of a log jam,” Johann Dettweiler, director of operations for TalaTek, a prospective Certified Third-Party Assessor Organization (C3PAO), said in an interview.

Talatek’s assessment is slated to get its required assessment from the DOD’s Industrial Base Cybersecurity Assessment Center (DIBCAC) this spring if all goes well with those in line before it. Dettweiler concerns are mounting up as he recently received a phone call from the other C3PAOs that they were having difficulty meeting CMMC level three. These learnings have affected the working of the companies.

Four people familiar with the matter who demand anonymity said that the internal audits are taking way longer than expected. One source directly linked with the association pointed to the maturity documentation indulged with level three as what was tripping some of the companies. The companies prolonged difficulties do not end here as they have to show that they have inculcated the policies and they have to practice those policies every now and then.