The Pentagon’s new cyber standards for future contracting opportunities will be incorporated in all requests for information by next June and all proposal requests in fall 2020, a top Defense Information Systems Agency (DISA) official said Monday, as the department pushes industry to take responsibility for the digital security of their entire supply chain.

Maj. Gen. Garrett Yee, the Pentagon IT agency’s assistant to the director, told attendees at a DISA industry event a final version of the Cybersecurity Model Maturity Certification (CMMC) will be published in January.

“We’ve been talking about [supply chain risk management] for a couple years and now it’s going to happen,” Yee said. “Not only do we need to know what the prime is doing, but the subcontractor to the prime and the subcontractor to the subcontractor and then seven levels down.”

Ellen Lord, the Pentagon’s top acquisition official, first detailed CMMC in August before a draft version of the new framework was released in September (Defense Daily, Aug. 26). 

Yee said the Office of the Secretary of Defense received over 2,000 comments from industry with feedback also helping to inform the distinctions for each of CMMC’s five cyber security certification levels.

“The idea here is, to provide a little more detail, it’ll be part of a ‘go or no-go’ decision in the contracting process. Meaning that if you’re not at a certain level of cyber security, you won’t go forward in the process,” Yee said.

Vice Adm. Nancy Norton, the DISA director, and Yee spoke to reporters at the event and reiterated that CMMC is intended to have major industry partners through medium- and small-size businesses continuously assess the cyber resiliency of their supply chains.

“This is what’s new. We’re now saying that you actually do have to take responsibility for your supply chain,” Norton said. “That’s the point of cyber security. You’re no better than your weakest link.”

Yee told reporters OSD is currently working through selecting a non-profit organization to serve as a third party to evaluate vendors against the CMMC criteria.