Mandatory review of DOD's compliance on CMMC is delayed

The Defense Department was supposed to submit a review to Congress by March 1 assessing whether components complied with the guidelines of the Cybersecurity Maturity Model Certification program. That deadline has been pushed to June.

The Pentagon (Photo by Ivan Cholakov / Shutterstock)

The Defense Department has asked for more time to deliver an assessment to Congress about whether its components comply with the unified cybersecurity standard for defense contractors known as Cybersecurity Maturity Model Certification program, FCW has learned.

A provision in the 2021 National Defense Authorization Act requires DOD's CIO and the commander of the Joint Forces Headquarters-Department of Defense Information Network to review each DOD component for cyber hygiene and assess compliance with CMMC.

The report is supposed to identify a "component's CMMC level and implementation of the cybersecurity practices and capabilities required in each of the levels of the CMMC framework," according to the legislation.

Those components that don't meet CMMC level 3 requirements, also referred to as "good cyber hygiene," will have to "implement relevant security measures to achieve a desired CMMC or other appropriate capability and performance threshold prior to March 1, 2022."

The report stemming from that review was due to Congress on March 1, but has been pushed to June, according to a Hill aide familiar with the matter.

The CMMC program, a unified standard that defense contractors handling controlled unclassified information will have to meet to bid on contracts, is expected to enter the pilot stage with select contracts later this year; full implementation for all defense contracts is planned for 2025.

"The Cybersecurity Maturity Model Certification will continue to be a focal point," for ranking member Sen. Jim Inhofe (R-Okla.) and Cybersecurity Subcommittee ranking member Sen. Mike Rounds (R-S.D.)," a spokesperson for Senate Armed Services Committee Republicans told FCW. "One area where the committee is particularly concerned is balancing the cybersecurity of the defense industrial base with making sure the burden on small- and medium-sized businesses isn't too great."

DOD has not yet responded to a request for comment.

The Defense Department is also running a separate review of supply chain and risk management programs, including CMMC, led by Stacy Cummings, DOD's acting acquisition chief.

"In light of increasingly frequent and complex cyber intrusion efforts by adversaries and non-state actors, the Department remains deeply committed to the security and integrity of the defense industrial base," DOD spokesperson Jessica Maxwell told FCW. "As is done in the early stages of many programs, the DOD is reviewing the current approach to CMMC to ensure that it is achieving stated goals as effectively as possible while not creating barriers to participation in the DoD acquisition process….This assessment will be used to identify potential improvements to the implementation of the program."

News of this internal review was first reported in FedScoop.