Audit Process Remains A Mystery In DOD Cybersecurity Plan

Susan Cassidy is quoted in Law360 regarding the DoD’s implementation of cybersecurity requirements for defense contractors. Ms. Cassidy says that questions about the process, such as who will audit the thousands of contractors that need to be certified for cybersecurity compliance, how they will be audited and what options they will have if they disagree with an audit, remain unanswered. "This is the 'devil is in the details' part of it, in many ways the hardest part of this, because it's the practical implementation [of the plan]. And I'm hoping [the DOD] ... seeks industry input, because industry will think of practical issues that they may not have, because they're not on the business side of it."

She adds, “The accreditation process still seems like it's the long pole of the tent. The concern there, and I don't know if they've thought about this [although] I'm assuming they have, is what are the qualifications to be an accreditor ... and how are they going to vet that? Because you're going to have what appears to be a lot of smaller entities — it doesn't mean they're not good, but my guess is it'll be uneven. So how are they going to ensure quality?" If there is no clear avenue for appeal, contractors could be "stuck" with their CMMC level for as long as three years, which is how long a certification will last. "We need some due process in there.”