Pentagon
releases CMMC
standard for
contractors
The success of the Defense Department’s unified cybersecurity standard is complex enough to require a five-year rollout, and it hinges on the quality of the new Accreditation Body
BY LAUREN C. WILLIAMS
P entagon officials have released the highly anticipated Version 1.0 of its unified cybersecurity standard, called the Cybersecurity Maturity Model Cer- tification. But efforts to ensure compli- ance with the new standard have just
begun.
CMMC will apply to any contractor
or subcontractor that does business with the Defense Department, includ- ing weapons contractors that protect highly classified intellectual property and firms that provide landscaping services at DOD installations. Compa- nies have until 2026 to comply with the standard.
During a Jan. 31 briefing, Undersecre- tary of Defense for Acquisition and Sus- tainment Ellen Lord told reporters that the five-year timeline for CMMC’s com- plicated rollout was necessary before making it mandatory in all contracts.
Katie Arrington, DOD’s chief infor- mation security officer for acquisition, told reporters that DOD officials plan to release 10 requests for information and 10 requests for proposals this year that incorporate CMMC. Winning vendors will be required to certify compliance with the new standard when the con- tracts are awarded.
ber of affected contracts will gradually increase from at least 15 in fiscal 2021 to 479 in fiscal 2024.
Arrington predicted that 1,500 con- tractors will be CMMC certified by fis- cal 2021, with more than half of those certified at Level 1. By fiscal 2025, that number is expected to grow to almost 48,000 of the estimated 300,000 com- panies in the defense industrial base.
An undue burden for small companies?
DOD officials said they’re reviewing cur- rent contracts to see how they relate to CMMC and determine which programs could serve as pathfinders for the new standard. Other transaction authorities, Small Business Technology Transfer contracts and Small Business Innova- tion Research contracts will also be rep- resented in the initial RFIs and RFPs.
A number of questions persist about how the standard will be implemented, however. In particular, many experts are concerned about making it possible for small companies to comply with- out undue burden. DOD officials have repeatedly said they made such busi- nesses a priority when deciding how to deploy CMMC.
32 January/February 2020
FCW.COM
DOD documents state that the num-
“One of our challenges is how to