Attorneys say Defense Dept. must provide more transparency on audit results from CMMC program

Susan Cassidy is quoted in Inside Cybersecurity regarding the request from contractors for greater transparency on audit results from the DoD’s Cybersecurity Maturity Model Certification program.

Ms. Cassidy says she is concerned about how the relationship will work between the prime and subcontractor. “All contractors will need to have a basic assessment [under 800-171] done for any new contract actions once the rule is effective,” she says. “And a prime will not be able to award a subcontractor unless that subcontractor has a basic assessment score. But it appears that prime contractors will need to rely on certifications from subcontractors as to whether that assessment has been done because contractors only will have access to their own information in SPRS.”

She says it is “not entirely clear” how the information submitted to DOD will be used and more clarity is needed on medium and high assessments for 800-171 and how to resolve disputes over results between the assessor and contractors. In addition, there is confusion over who will complete the assessments for 800-171--the Defense Contract Management Agency or individual DOD components. “There is a lot of information that will be collected by DoD and it is not entirely clear how it will be used,” she adds. “As always, contractors will need to be careful and accurate in their assessments, but the 800-171 controls do allow for some interpretation.”

Ms. Cassidy questions how the actual audit and certification process will work. She pointed to the lack of guidance “on how contractors can contest assessments they disagree with, whether a contractor can seek a new assessment in the midst of the three-year period, and/or how conflicts for assessors will be addressed.”