By the end of September, the Defense Department will require at least some companies bidding on defense contracts to certify that they meet at least a basic level of cybersecurity standards when responding to a request for proposals.
DoD released its new Cybersecurity Maturity Model Certification today, billed by the undersecretary of defense for acquisition and sustainment as "Version 1.0."
By June, the department plans to publish as many as 10 requests for information on contracts that include CMMC requirements, Ellen M. Lord said during a Pentagon news conference announcing the certification effort. By September, she said, the department will also publish corresponding requests for proposals that include those requirements. By fiscal year 2026, all new DoD contracts will contain the CMMC requirements, Lord said.
"I believe it is absolutely critical to be crystal clear as to what expectations for cybersecurity are, what our metrics are, and how we will audit for those expectations," Lord said. "CMMC is a critical element of DoD’s overall cybersecurity implementation."
Lord said cybersecurity risks threaten the defense industry and the national security of the U.S. government, as well as its allies and partners. About $600 billion, or 1% of the global gross domestic product, is lost through cyber theft each year, she noted.
"Adversaries know that in today's great-power competition environment, information and technology are both key cornerstones," she said. "Attacking a sub-tier supplier is far more appealing than a prime [supplier]."
The CMMC gives the department a mechanism to certify the cyber readiness of the largest defense contractors — those at the top who win contracts are called "primes" — as well as the smaller businesses that subcontract with the primes.
The new CMMC provides for five levels of certification in both cybersecurity practices and processes.
"Something ... simple in Level 1 would be, 'Does your company have antivirus software? Are you updating your antivirus software? Are you updating your passwords?'" said Katie Arrington, DoD's chief information security officer for acquisition. "CMMC Level 1 is the basic cyber hygiene skills we should be doing every day. They are there to protect yourself, your company and your own information."
By CMMC Level 2, Arrington said, the department will also begin looking at cybersecurity processes as well, to ensure cybersecurity is not just practiced, but that a company is effectively documenting, managing, reviewing and optimizing its practices across its entire enterprise.
Arrington said that for the roughly 10 requests for information and requests for proposals DoD is expected to publish later this year for potential contracts, she expects a mix of CMMC certification levels will be required.
"We'll have some CMMC Level 3, CMMC Level 1, and there may be one or two with the 4 or 5 CMMC levels going out," Arrington said.
The department will not be certifying potential defense contractors for CMMC on its own. Instead, Lord explained, a series of CMMC "third-party assessment organizations" or C3PAOs, will conduct those assessments. The C3PAOs will also not be paid by the department, Lord said. "That's a private transaction between industrial base companies and those of certification bodies," she added.
No C3PAOs have been designated to conduct the assessments yet, Lord said. noting that while multiple companies are interested, DoD has not yet designated who is qualified.
A newly created 13-member CMMC accreditation body, made up of members of the defense industrial base, the cybersecurity community and the academic community will oversee the training, quality and administration of the C3PAOs, Lord said.
Meanwhile, she said, the department is drafting a memorandum between DoD and the CMMC accreditation body to outline its roles, responsibilities and rules. She said one area of concern will be to ensure no conflicts of interest are involved in accreditation. For example, a C3PAO would not be able to accredit itself for CMMC.
No existing contracts with the department will have CMMC requirements inserted into them, Arrington said.
Subcontractors to a prime contractor will not all need to have the same level of CMMC certification to win a contract, Arrington said.
"Security is not one size fits all," she added. Instead, she said, depending on how controlled unclassified information flows between those parties involved in a contract, subcontractors might need only be a CMMC Level 1 company.
CMMC will ensure a more level and fair playing field for companies bidding on DoD contracts, Arrington said. Today, she said, some small businesses bidding on work might self-attest that they meet requirements to handle certain kinds of information, but in fact only are planning to meet those requirements, while another business might actually be meeting the requirements. CMMC, she said, will ensure that only companies that actually meet requirements can compete for contracts.
"We need to make sure our industry partners are prepared to take on the work, and our third-party auditors will ensure that they are implementing the practices that we need in place to secure that national defense and our industrial base," Arrington said.
Lord said the department is aware that CMMC requirements could be a burden to some smaller companies and that DoD is working with primes and smaller companies to help them overcome that burden.
"We need small and medium businesses in our industrial base, and we need to retain them," she said. "We will continue to work to minimize impacts, but not at the cost of national security."
Related Transcript: Press Briefing by Under Secretary of Defense for Acquisition & Sustainment Ellen M. Lord, Assistant Secretary of Defense for Acquisition Kevin Fahey, and Chief Information Security Officer for Acquisition Katie Arrington