The Pentagon will hold a public hearing in late April or early May for its new cyber security contracting standards, as the department readies to select third party auditors and roll out the requirements in 10 pilot programs this summer.

Ellen Lord, the department’s top acquisition official, on Wednesday detailed the next steps for the Cybersecurity Maturity Model Certification (CMMC) standards, including plans to announce the first slate of test programs “in the very near future.”

Under Secretary of Defense for Acquisition and Sustainment Ellen M. Lord, Kevin Fahey, and Katie Arrington hold a press briefing at the Pentagon, Washington, D.C., Jan. 31, 2020. (DoD photo by Navy Petty Officer 2nd Class James K. Lee)

“Now that CMMC is released we’re really focusing on the remaining timeline; selecting third party vendors to do to the auditing, creating CMMC training material, rulemaking and completing an agreement with the newly established CMMC accreditation body,” Lord told attendees at the McAleese conference.

The department in January released the final version of CMMC, which is intended to improve supply chain security by assigning vendors a cyber security certification on a five-point scale (Defense Daily, Jan. 31).

CMMC will be rolled out incrementally beginning with 10 programs this year before being included in all contracts starting in 2026. 

Lord told reporters following her discussion that the Pentagon has selected “specific types of programs” for the pilot efforts to understand how CMMC would affect different supply chains.

“What we’re doing is we want to start small and get larger. So we’ll take some smaller programs, probably a services program, probably a hardware program and a software program, to try to work on different types of programs that might get at different parts of the supply chain,” Lord said. 

The Pentagon is also on track for its first training course for CMMC auditors in April, according to Lord.

Lord added that her CMMC team has started working with Canada, the U.K., Denmark, Italy, Australia, Singapore, Sweden, Poland and the E.U. cyber security body on implementing similar cyber assurance programs to grow the effort across global supply chains.