Pentagon Receives 2,000 Comments on Vendor Cyber Certification Program

Under Secretary of Defense for Acquisition and Sustainment EllenLord

Under Secretary of Defense for Acquisition and Sustainment EllenLord James K. Lee/Defense Department

The next iteration of the framework will be released in early November, according to Undersecretary for Acquisition and Sustainment Ellen Lord.

The Defense Department is less than three months away from finalizing its framework for measuring vendors’ cybersecurity practices, and industry has a lot to say about the program.

Over the past six weeks, the Pentagon received more than 2,000 comments on the first public draft of the Cybersecurity Maturity Model Certification, or CMMC, according to Ellen Lord, the department’s undersecretary for acquisition and sustainment. The framework would serve as a yardstick for measuring the strength of different contractors’ digital defenses, allowing Pentagon officials to ensure vendors are appropriately protecting the sensitive military data that resides on their networks.

The department will use the feedback to inform the next iteration of the CMMC, which officials plan to publish in the first week of November, Lord said during a press conference on Friday. After another round of public comments, the Pentagon will release the final framework sometime in January, and contracting officers will start assimilating certifications into the acquisition process by summer 2020, she said.

“The CMMC establishes security as the foundation to acquisition and combines the various cybersecurity standards into one unified standard,” Lord said. The department will roll out the program “in a strategic manner,” she added, beginning with vendors that support its most “critical programs and technologies.”

The certification program is intended to push the Pentagon’s extensive network of vendors to strengthen their digital defenses, or at least adopt protections that are suitable for the sensitivity of their work. The initiative comes adversaries like China are increasingly targeting defense contractors to steal military secrets.

Earlier this month, the department announced it would stand up a nonprofit organization to operate the certification process and oversee the independent assessors who would audit contractors’ cyber practices. Officials estimate there will be roughly 300,000 vendors in need of certifications.

During the press conference, Lord also teased a number of forthcoming initiatives to improve the Pentagon’s IT procurements.

She said the department will soon release an interim software procurement policy meant to promote iterative delivery of new products, increase user engagement and shorten the time it takes to deploy new software in the field. Officials are also in the final stages of publishing “middle-tier acquisition” policy that would support rapid prototyping and deployment of technologies, and shorten the procurement timeline by “orders of magnitude,” according to Lord.

She said the department is also in the process of standing up its intellectual property cadre, a group of experts that will advise Pentagon and other federal agencies on data rights, cybersecurity and other IP issues.