Pentagon Unveils Final Cyber Standards for Contractors

The Pentagon issued the final contractor standards under the Cybersecurity Maturity Model Certification (CMMC) last week and explained long-term plans for implementation. The new framework is built from five levels of security standards known as Version 1.0 of the plan. The initial phase will be rolled out through requests for information this summer.

Version 1.0 marks the first steps toward implementing the new standards for all Department of Defense (DoD) contracts moving forward. According to an agency press conference, the vast majority of contractors working with unclassified information will only need to meet the first level of the framework. Contractors dealing with more secure information will need to receive high level certifications on the five-point framework.

All levels will need to be certified by independent assessors who will conduct in-person checks.

“We are doing this with what I would call irreversible momentum,” Undersecretary of Defense for Acquisition and Sustainment Ellen Lord said during the conference, though some stakeholders subject to the new framework have expressed concern regarding the pace of the independent assessments.

Stakeholders also expressed concerns last year that the new standards may box small businesses, whom are less technologically advanced and therefore remain at the lower end of the five-point scale, out of contracts.

Lord defended the timeline as “realistic” to ensure the agency can receive feedback on the plan’s implementation as it goes to make real time adjustments as necessary. According to Lord, while the department plans to note CMMC requirements in requests for information starting late spring, specific security levels won’t be included in requests for proposals till the fall. At that time, it is expected the related rule will be finalized in Defense Federal Acquisition Regulations. 

Katie Arrington, Chief Information Security Officer for the Acquisition and Sustainment Office at the DoD, noted that contractors will not need to have their certification demonstrating adherence to the required security levels until the time of the award. Arrington also noted that certification requirements would not apply to current contracts.

Arrington said this year the agency plans to target 10 requests for information and requests for proposals. For each of those, there are an estimated 150 subcontractors involved. She said the contracts would represent a mix of mostly levels 1 and 3 with “maybe one or two that have the 4 or 5” level. Lord said the department may focus the start of the program on nuclear modernization, missile defense, and other more critical aspects that require more time.

“The CMMC is a critical cornerstone of the department’s overall cybersecurity effort, but it is not the only cybersecurity effort,” Lord explained. She noted Defense is also partnering with the National Security Agency, “looking at weapons systems, looking at installations, assessing cyber vulnerabilities, and then going and mitigating those.”