The Defense Department on Thursday disclosed the first seven contracts that are likely to be the initial test cases for the Cybersecurity Maturity Model Certification (CMMC) program, DoD’s new approach to shoring up its suppliers’ IT security.
The department stopped short of a full commitment to subject the forthcoming Navy, Air Force and Missile Defense Agency procurements to CMMC’s requirements. In a statement, DoD said only that they are “candidates” under consideration to serve as pathfinders.
The projects, as described by the Pentagon, are:
Integrated Common Processor
F/A-18E/F Full Mod of the SBAR and Shut off Valve
Yard services for the Arleigh Burke Class destroyer
Mobility Air Force Tactical Data Links
Consolidated Broadband Global Area Network Follow-On
Azure Cloud Solution
Missile Defense Agency
Technical Advisory and Assistance Contract
The department did not immediately provide further details on the procurements beyond the descriptions above, but said each of the contracts are expected to be awarded in fiscal 2021.
Defense officials have previously said they expected 15 procurements to be part of the CMMC “pathfinder” process in 2021 as they attempt to gain real-world insights on how the process will work. DoD plans to scale the process up to encompass all Defense contracts by October 2025. On Tuesday, the department said it is still working with the Army and other DoD organizations to identify more candidates, and that additional contracts could be announced “in the weeks to come.”
An interim rule that formally laid down the regulatory framework for CMMC took effect earlier this month, and DoD is now reviewing comments from industry ahead of any potential changes the department might make to the rule.
In addition to the full CMMC process, which will eventually require every DoD vendor and subcontractor to earn some level of certification from an independent CMMC assessor, the rule added some shorter-term requirements as part of what the department calls a “crawl, walk, run” approach to improving security in the industrial base.
As of Dec. 1, almost all vendors bidding on new contracts will have to log into a web portal and self- attest to DoD which specific security controls in NIST Special Publication 800-171 they’re currently complying with. And especially for contractors who claim a “medium” or “high” score, DoD reserves the right to conduct on-site audits to make sure those attestations are accurate.
“The Defense Contract Management Agency has been doing those audits, which we refer to as DIBCAC assessments, for about two years now,” Katie Arrington, DoD’s chief information security officer for acquisition and sustainment said at an industry conference this month. “What will happen is they will take your assessment that you have given yourself and logged in SPRS, and they’ll actually come to your site and they’ll say, ‘Let’s see how we think you’re actually doing.’ If you’re doing all 110 controls, you’ll be known as a ‘DIBCAC high,’ and that will be good for three years for your company.”