Pentagon finalizes CMMC standard for contractors

The Defense Department released its first unified cybersecurity standard that all defense contractors will have to meet by 2026.

secure network (vs148/

The Pentagon on Jan 31 released the official version 1.0 of its unified cybersecurity standard that all contractors must meet by 2026.

The standard, called the Cybersecurity Maturity Model Certification (CMMC), will apply to any company that does business with the Department of Defense, from weapons contractors protecting highly classified intellectual property to landscaping firms that service DOD installations. CMMC will apply to subcontractors as well as primes.

Under Secretary of Defense for Acquisition and Sustainment Ellen Lord told reporters during a Jan. 31 briefing that CMMC will be a "complicated rollout" and that the five-year timeline was "realistic" before making it mandatory in all contracts.

DOD plans to release 10 requests for information and 10 requests for proposal this year that incorporate CMMC, Katie Arrington, the chief information security officer for defense acquisition, told reporters during the briefing, and certification will be required when the contract is awarded.

FCW previously reported that number would increase exponentially, anticipating nearly 500 contracts to have the CMMC certification requirement by 2025.

DOD said it's looking at current contracts and how they relate to the CMMC to see which would be part of the pathfinder program, including nuclear modernization and missile defense. Other transaction authorities, Small Business Technology Transfer contracts and Small Business Innovation Research contracts also will be represented in these initial proposal and information requests, the officials said.

Questions remain, however, on how smaller companies will be able to meet the standards without undue burden. DOD has repeatedly stressed that small and medium-sized businesses were a priority in rolling out CMMC.

"One of our challenges is how to bring companies that aren't familiar with defense work in," Lord said when asked about how companies unfamiliar with defense contracts would be able to prepare for the shift. "We just created early this year, what we call a placemat, with step-by-step, how you work with industry."

Step one, she said, would be calling DOD's industry policy team, which would connect companies to CMMC experts. Another route is connecting with industry associations such as the National Defense Industrial Association and the Professional Services Council. The small business office also will have contacts and resources, Arrington said.

Lord said prime contractors were mulling how to ensure their partners are compliant, but wouldn't offer any concrete examples. Kevin Fahey, DOD's deputy acquisition chief, told reporters during the briefing that prime contractors could have subcontractors work within their infrastructure to ensure cybersecurity.

Simone Petrella, the chief executive for workforce development company CyberVista, told FCW that her top concern was the criteria the third-party auditors would be using, "because the effectiveness of having a maturity level assigned to you is only going to be as good as the assessor who's coming in and conducting that audit."

While the actual standards themselves aren't brand new -- CMMC borrows heavily borrowed from the existing NIST Cybersecurity Framework, among others -- the initiative's success relies heavily on the CMMC accrediting body and how it shapes training for the assessors.

Those assessors have not been selected and no one has yet been "designated as qualified," Lord said. Officially dubbed CMMC third-party assessment organizations (C3PAOs), the assessors will be charged with certifying contracting companies, and are trained by the newly stood up CMMC Accrediting Body.

DOD is currently drafting a memorandum of understanding to establish rules, roles and responsibilities between it and the accrediting body. Lord said that memo will address conflicts of interest such as ensuring auditors won't be able to review their own company.

Once up and running, companies will be able to apply for certification through a marketplace portal run by the accrediting body, Arrington said. The CMMC certification will be good for three years; with it, companies will be able to bid on contracts across DOD and the military services.

The DOD acquisition officials said they would share the guidance as it's being developed, but CyberVista's Petrella suggested companies should start figuring out whether they have the right personnel as soon as possible.

"This entire framework is getting fleshed out around everything from your audit logs to your incident response plan and then when you get to training," Petrella said. "Just to be a level two, you have to ensure that personnel are trained to carry out their assigned information security related duties and responsibilities."

"That's kind of a linchpin," she said. "If you don't have the right people with the right competencies to do all those other activities that are required either you have to outsource it all or you're not going to be able to meet that minimum threshold."