Press Releases

CompTIA Joins Coalition of Tech Associations Encouraging Ongoing Partnership with DoD on CMMC

Mar 27, 2020

Washington, DC – Today, CompTIA joined a coalition of technology trade associations encouraging the Department of Defense (DoD) to continue its partnership with industry in its implementation of Cybersecurity Maturity Model Certification (CMMC). In a letter to Under Secretary of Defense for Acquisition and Sustainment Ellen Lord and Chief Information Security Officer Katie Arrington, the groups reiterated the importance of the CMMC’s objectives and offer recommendations for improving its implementation, administration and enforcement.

As the producers and operators of some of the most sophisticated and widely used information technologies, the associations – Information Technology Industry Council (ITI), Alliance for Digital Innovation, BSA: The Software Alliance, Cybersecurity Coalition, Internet Association, and The Computing Technology Industry Association (CompTIA) – have considerable first-hand knowledge of the challenging and evolving nature of the most persistent cyber threats. To that end, their recommendations aim to ensure the federal government’s front-line cyber defenses stay current and are equipped with the tools and techniques to protect sensitive systems and information of the government and industrial partners and offer clarity and predictability in key areas to avoid confusion, delay and associated costs for industry.

“We strongly support efforts to improve defense industrial base (DIB) cybersecurity and appreciate the Department’s openness in meeting with and accepting input from industry about the CMMC,” the associations wrote. “We stand ready to assist DoD in optimizing the CMMC’s effectiveness. Considering and incorporating IT industry feedback will help ensure that DoD implements a structurally sound and holistic initiative from the beginning. Doing so will also help to meet our shared goal of improving DIB cybersecurity in a manner that is aligned with other federal government initiatives and requirements to address supply chain security.”

In their letter, the associations identified several challenges in the current CMMC that could lead to the DIB being even less secure, if left unaddressed. To that end, they encouraged DoD to thoroughly consider the following suggestions and questions as the CMMC evolves during its implementation:

  • Enhance clarity about CMMC’s scope, applicability, and implementation timeline.
  • Certification and recertification, specifically how to manage certifications for a complex and multinational entity, and how companies that are not currently part of the DIB will be prioritized for certification.
  • Streamlining federal cybersecurity requirements to align and promote reciprocity between the DoD Cloud Computing Security Requirements Guide (SRG), DFARS 252.204-7012 and FedRAMP.
  • Ensure no new risks are created by providing additional clarity on how CMMC assessment results, which will contain very sensitive information, will be handled and stored, and by considering the security control requirements of high security and high availability systems.

Read the letter here.

About CompTIA

The Computing Technology Industry Association (CompTIA) is a leading voice and advocate for the $5 trillion global information technology ecosystem; and the more than 50 million industry and tech professionals who design, implement, manage, and safeguard the technology that powers the world’s economy. Through education, training, certifications, advocacy, philanthropy, and market research, CompTIA is the hub for advancing the tech industry and its workforce. Visit www.comptia.org to learn more.

About CompTIA Public Sector & Advocacy

CompTIA supports policies that positively impact the ability of the IT industry to develop, manufacture, and sell solutions in the global marketplace. We work to promote investment and innovation, market access, effective cybersecurity, consistent privacy regulation, streamlined procurement, and research and development. As the leading provider of vendor-neutral IT certifications, we also support efforts to promote a well-trained technical workforce. Visit www.comptia.org to learn more.