The department is only naming seven upcoming procurements as candidates for the CMMC pilot program for the moment, but says more could be announced in the coming...
The Defense Department on Thursday disclosed the first seven contracts that are likely to be the initial test cases for the Cybersecurity Maturity Model Certification (CMMC) program, DoD’s new approach to shoring up its suppliers’ IT security.
The department stopped short of a full commitment to subject the forthcoming Navy, Air Force and Missile Defense Agency procurements to CMMC’s requirements. In a statement, DoD said only that they are “candidates” under consideration to serve as pathfinders.
The projects, as described by the Pentagon, are:
The department did not immediately provide further details on the procurements beyond the descriptions above, but said each of the contracts are expected to be awarded in fiscal 2021.
Defense officials have previously said they expected 15 procurements to be part of the CMMC “pathfinder” process in 2021 as they attempt to gain real-world insights on how the process will work. DoD plans to scale the process up to encompass all Defense contracts by October 2025. On Tuesday, the department said it is still working with the Army and other DoD organizations to identify more candidates, and that additional contracts could be announced “in the weeks to come.”
An interim rule that formally laid down the regulatory framework for CMMC took effect earlier this month, and DoD is now reviewing comments from industry ahead of any potential changes the department might make to the rule.
In addition to the full CMMC process, which will eventually require every DoD vendor and subcontractor to earn some level of certification from an independent CMMC assessor, the rule added some shorter-term requirements as part of what the department calls a “crawl, walk, run” approach to improving security in the industrial base.
As of Dec. 1, almost all vendors bidding on new contracts will have to log into a web portal and self- attest to DoD which specific security controls in NIST Special Publication 800-171 they’re currently complying with. And especially for contractors who claim a “medium” or “high” score, DoD reserves the right to conduct on-site audits to make sure those attestations are accurate.
“The Defense Contract Management Agency has been doing those audits, which we refer to as DIBCAC assessments, for about two years now,” Katie Arrington, DoD’s chief information security officer for acquisition and sustainment said at an industry conference this month. “What will happen is they will take your assessment that you have given yourself and logged in SPRS, and they’ll actually come to your site and they’ll say, ‘Let’s see how we think you’re actually doing.’ If you’re doing all 110 controls, you’ll be known as a ‘DIBCAC high,’ and that will be good for three years for your company.”
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Jared Serbu is deputy editor of Federal News Network and reports on the Defense Department’s contracting, legislative, workforce and IT issues.
Follow @jserbuWFED