Pentagon Announces Final Version of Cyber Standards for Contractors

During an event where Defense Department officials looked to dispel myths about a plan to certify the cybersecurity of its contractors through third-party audits, the department’s head of acquisitions spoke to why the rollout of the program isn’t expected to be done till 2026. 

“We are doing this with what I would call irreversible momentum,” Undersecretary of Defense for Acquisition and Sustainment Ellen Lord said, answering questions from reporters. 

Some stakeholders have said the plan to subject companies in the defense industrial base to reviews by independent auditors—instead of allowing them to self-attest to security practices—is moving at break-neck speed. But Defense officials were pressed at the event to explain why it would take such a long time to fully implement the program. 

“We’re being realistic in terms of making sure we have pathfinder projects and then we implement it and learn, get the feedback, and go on,” Lord said. 

While the department plans to note CMMC requirements in requests for information starting late spring, specific security levels—ranging 1 through 5, described in a final version 1.0 of the model—won’t be included in requests for proposals till the fall, when it is expected the related rule will be finalized in Defense Federal Acquisition Regulations. 

Spring is also when auditors will start attending classes and CMMC training will be available on the Defense Acquisition University website, officials said.

During the press conference Katie Arrington, chief information security officer for the acquisition and sustainment office, said the “DOD has delivered” the final model to the nonprofit accreditation body that will be managing the audits and issuing certifications. She added they are also “in the process” of getting a memorandum of understanding to that entity.

Arrington stressed contractors won’t need to have their certifications demonstrating adherence to the required security levels till the time of award. 

Among the myths Arrington busted was the idea that the certification requirement would apply to current contracts. That is not true, she said.   

She explained that most contracts go for one “base year” with four option years, noting that’s “why the rollout will take five years, contracts may not come back around for five years.”

During an event hosted Tuesday by the law firm Holland and Knight, regarding the CMMC timeline, Arrington told the audience: “You say it’s aggressive, to me it feels like a glacier.”

Still, the department’s goal for initial audits feels ambitious. 

Arrington said this year alone they plan to target 10 RFIs and RFPs. For each of those, there are an estimated 150 subcontractors involved. She said the contracts would represent a mix of mostly levels 1 and 3 with “maybe one or two that have the 4 or 5” level.  

This seemed somewhat in conflict with Lord, who, answering a question about where the department might focus the start of the program said, “As always, our number one priority is nuclear modernization, missile defense, so those more critical aspects, we would obviously be spending a lot of time on.” 

“The CMMC is a critical cornerstone of the department’s overall cybersecurity effort, but it is not the only cybersecurity effort,” Lord added. She noted Defense is also partnering with the National Security Agency, “looking at weapons systems, looking at installations, assessing cyber vulnerabilities, and then going and mitigating those.”   

Editor's Note: This article was updated with a link to the department's guidance.