Cybersecurity audits of independent contractors are being planned by the U.S. Department of Defense with a non-profit organization being established to train and approve certifiers. If the plan gets through, cybersecurity audits of contractors are certain to leach into 5-eyes government standards.

The plan will stem the loss of controlled unclassified information – currently, defense contractors only have to self-attest their adherence to NIST special publications laying out the appropriate protections for such data.

The department intends to activate its certification programme through a non-profit accreditation body that will be tasked with training auditors, establishing the necessary infrastructure, accreditation and credentialing, and assessment operations, as laid out in a slide presentation by the official.

Companies looking to do business with DoD will have the sensitivity of their data assessed, and auditors will determine an appropriate Level 1 through 5 of security required.

“Because we’re doing rulemaking, this isn’t going to roll out as hard and fast as we thought,” a government official told a meeting of the Software Supply Chain Assurance forum recently.

Software Supply Chain Assurance forum meetings are co-led by Defense, the General Services Administration, the National Institute of Standards and Technology, and Homeland Security Department and can be attended by public and private sector representatives and conducted under Chatham House Rules – open exchange of ideas.

The official said DoD expects the CMMC requirements to be issued as a proposed rule in Q2, but regardless of the related public comment process, officials still plan to include the rules in requests for proposals starting in the third quarter.

“In June, we’re going to give you a request for information that says these procurements are targeted to have CMMC requirements,” the official told the form.

Details will be spelled out in a memorandum of understanding between the 2 entities that can be signed as soon as the accreditation body is officially incorporated. The official said that should be done “by the end of the month”.

The official said DoD expects to turn operations over to the accreditation body in February but stressed that the department is “not going to give up control of the model”, which will remain subject to change once issued.

In March, DoD plans to publish the assessment guides that auditors will use to determine what level of data protection will be required.

“We’ve got Treasury, asking about this, State, Canada,” the official said. “If we do this right,” it can really be a model for the broader ecosystem.”