The Pentagon’s Cybersecurity Maturity Model Certification program will begin including security requirements in select solicitations starting next year.
The Defense Department, worried about potential cybersecurity risks from its vendors, is in the midst of implementing a new supply chain security certification and announced the first pilots set for the coming year.
The Pentagon has been working on the Cybersecurity Maturity Model Certification program since 2018. While other programs like the Federal Risk and Authorization Management Program, or FedRAMP, look at the security of products purchased by government agencies, CMMC is designed to look at the companies that supply those products to ensure sensitive DOD data is safe with those vendors.
The risks are not imagined. For years, DOD officials have pointed to Chinese espionage efforts and a plane that looks a lot like the U.S.-built F-35, among others. And, just this week, news broke of a critical vulnerability purposely inserted into a commercial software product used across government and the private sector.
When fully implemented, every solicitation for products or services coming out of the DOD and military branches will include some form of CMMC requirement, based on the security level required for the sensitivity of the data involved.
But before the full rollout, the Pentagon wants to run some tests to see how it will all work in practice. The plan includes a phased rollout over five years—from 2021 through 2025.
CMMC officials are considering pilots for pending solicitations at two service branches and a support agency:
- Three from the Navy: Integrated Common Processor, F/A-18E/F Full Mod of the SBAR and Shut Off Valve, and DDG-51 Lead Yard Services/Follow Yard Services.
- Three from the Air Force: Mobility Air Force Tactical Data Links, Consolidated Broadband Global Area Network Follow-On, and Azure Cloud Solution.
- One from the Missile Defense Agency: Technical Advisory and Assistance Contract.
“For approved pilots, all offerors will undergo the appropriate CMMC assessment, and awardee must achieve the required CMMC level at time of contract award, and flow down the appropriate CMMC requirement to subcontractors,” the department said in a release.
The initial pilots will cover the lower tiers of CMMC requirements: Levels 1, 2 and 3.
The release also notes the CMMC program office is working with “the Army and other defense agencies to identify and approve additional candidate CMMC pilots, to ensure they fit within the criteria.” The office promised additional pilots and updates “in the weeks to come.”