The Department of Defense announced the first contracts it plans to add new contractor and subcontractor cybersecurity requirements to.
The Pentagon aims to integrate Cybersecurity Maturity Model Certification (CMMC) requirements to seven pilots contracts by the end of 2021. Those pilot contracts will require vendors to meet a level three certification under the new standards, similar to the current standards in place for contracts that contain controlled unclassified information.
Under CMMC, contractors will need to pay for a third-party assessment to ensure they are meeting the needed level of security in their networks. CMMC carries five levels of security, ranging from level one with light controls to level five that requires hundreds of expensive locks on networks.
The contracts that could be the first to see CMMC level three requirements are divided among two of the military services and a support agency:
- U.S. Navy
- Integrated Common Processor
- F/A-18E/F Full Mod of the SBAR and Shutoff Valve
- DDG-51 Lead Yard Services / Follow Yard Services
- U.S. Air Force
- Mobility Air Force Tactical Data Links
- Consolidated Broadband Global Area Network Follow-On
- Azure Cloud Solution
- Missile Defense Agency
- Technical Advisory and Assistance Contract
CMMC became an official Defense Federal Acquisition Regulation (DFAR) earlier in December, but DOD’s Acquisition and Sustainment directorate is still reviewing comments from industry on the rule and may adjust it.
The CMMC Accreditation Body that is working to approve the assessors that will inspect contractors’ networks welcomed the news, saying it has been working closely with the DOD to get ready for the rollout.
“The AB has worked closely with the CMMC [Program Management Office] in preparing the provisional assessors to support the pilot activities kicking off next year and feel we are well prepared and partnered with the PMO to ensure success,” Wayne Boline, a CMMC AB board member and spokesperson, told FedScoop in a statement.
In DOD’s statement, it said it is “currently reviewing the following pilot nominations,” meaning that the list of contracts might not end up being the first to get requirements. Katie Arrington, chief information security officer of acquisition and sustainment and lead CMMC official, has previously said that the DOD plans to put it in around 15 contracts by the end of next year.
Services like the Army and other defense agencies are notably missing from the list. It is unclear what the delay for the Army and others signing on means for the interagency process of rolling out the program from a DOD-wide initiative to being implemented at service-level acquisition offices.
“The CISO team continues to work with the Army and other defense agencies to identify and approve additional candidate CMMC pilots, to ensure they fit within the criteria, and will provide updates in the weeks to come,” the notice said.