The Department of Defense considers providing financial rewards and other incentives to encourage contractors to enhance their network defenses before the latest iteration of the Cybersecurity Maturity Model Certification program comes to fruition, Federal News Network reported Friday.
“Some of the things that we’re looking at is the potential of if a company can demonstrate that their networks are secure, then they could possibly garner a higher profit margin,” said Stacy Bostjanick, director of CMMC policy within the office of the undersecretary of acquisition and sustainment at DOD.
Officials said DOD will kick off the rulemaking process for CMMC 2.0 and could take nine months to two years to complete the process.
“Another area that we’re looking at is increasing the use of evaluation criteria for contracts where it doesn’t necessarily have to be a CMMC certification, but we will assess people’s network security as part of a source selection evaluation,” said Bostjanick. “So it would still be a factor in garnering award prior to CMMC becoming effective through rulemaking.”
Several CMMC third party assessment organizations have secured certification from the CMMC Accreditation Body to evaluate the contractors’ network defenses and Bostjanik said the Pentagon would accept those C3PAO assessments as part of the incentive program.