The NDAA goes deep into developing the Cyber Director role but for those looking to NDAA for “significant changes” to the cybersecurity maturity model certification (CMMC) program should look elsewhere.

There are eight mentions of CMMC in the bill. I will need to dissect the fund allocations to CMMC. There are an additional five mentions of the cybersecurity maturity model certification in areas of threat and incident response.

It looks like the House Small Business Committee that complained about contractors “having to read really big books” did not have their ammendment approved.

It is really just section 1742 of the bill.

IN GENERAL.—Not later than March 1, 2021, the Sec- retary of Defense, acting through the Chief Information Officer of the Department of Defense and the Commander, Joint Forces Headquarters-Department of Defense Information Network, shall assess each Department component against the Cyberse- curity Maturity Model Certification (CMMC) framework and submit to the congressional defense committees a report that identifies each such component’s CMMC level and implementa- tion of the cybersecurity practices and capabilities required in each of the levels of the CMMC framework.

The report shall shall include, for each component that does not achieve at least level 3 status (referred to as ‘‘good cyber hygiene’’ in CMMC Model ver. 1.02), a determination as to whether and details as to how— (A) such component will implement relevant security measures to achieve a desired CMMC or other appropriate capability and performance threshold prior to March 1, 2022; and (B) such component will mitigate potential risks until such measures are implemented. (2) COMPTROLLER GENERAL REPORT REQUIRED.—Not later than 180 days after the submission of the report required under paragraph (1), the Comptroller General of the United States shall conduct an independent review of the report and provide a briefing to the congressional defense committees on the findings of the review.

CYBERSECURITY MATURITY MODEL CERTIFICATION FUNDING LIMITATION.—Of the funds authorized to be appropriated by this Act for fiscal year 2021 for implementation of the CMMC, not more than 60 percent of such funds may be obligated or expended until the Under Secretary of Defense for Acquisition and Sustainment delivers to the congressional defense committees a plan for implementation of the CMMC via requirements in procure-ment contracts, developed in coordination with the Principal Cyber Advisor and the Chief Information Officer of the Department of Defense. The plan shall include a timeline for pilot activities, a description of the planned relationship between Department of Defense and the auditing or accrediting bodies, a funding and activity profile for the Defense Industrial Base Cybersecurity Assessment Center, and a description of efforts to ensure that the service acquisition executives and service program managers are equipped to implement the CMMC requirements and facilitate contractors’ meeting relevant requirements.

img credit: Etherwan (2018). NDAA Compliance Statement. Retrieved from:…