Gordon Bitko, senior vice president for policy and public sector at the IT Industry Council, said there's an “arbitrary rush” for agencies to meet the National Defense Authorization Act's deadlines, Federal News Network reported Monday.
The NDAA requires the Department of Defense to “develop a consistent, comprehensive framework” for improving the security of the defense industrial base by February. The Cybersecurity Maturity Model Certification effort, launched last year, must be presented to lawmakers by March 11.
According to Bitko, DoD might “create a duplicative infrastructure” if it doesn’t address issues such as CMMC’s scope, its applicability to the supply chain and the feasibility of conducting certifications for thousands of vendors every three to five years.
In addition the CMMC, the NDAA also requires the Pentagon to pilot two to five projects involving “alpha contracting teams” for complex acquisitions.
Matthew Cornelius, executive director of the Alliance for Digital Innovation, said the effort will bring out the best in industry, academic and government entities if done correctly.
“These initiatives should be broadly scoped so as to allow true collaboration and technical expertise to influence better buying decisions and not bias outcomes towards a single, established entity,” he noted.