The Pentagon’s top acquisition official on Tuesday detailed the department’s plans to release final versions of acquisition reform efforts in the coming months, including a rewrite of the DoD 5000 rules, while also clarifying that new cyber security contracting standards will be implemented on a rolling basis in 2020.

Ellen Lord, the under secretary of defense for acquisition and sustainment, told reporters she plans to sign new DoD 5000 policies this month and publish final versions of the Adaptive Acquisition Framework and the new Cybersecurity Maturity Model Certification (CMMC) in January.

Under Secretary of Defense for Acquisition and Sustainment Ellen Lord holds a press briefing at the Pentagon on Dec. 10, 2019. Photo: Matthew Beinart.

“I cannot emphasize how important this is, and I continue to describe it as the most transformational change to acquisition policy in decades,” Lord said of the effort to push the department toward more agile acquisition practices. “This will allow acquisition professionals a choice of six pathways that they can choose from based on the characteristics of a product or system or service to be acquired. For certain acquisition authorities, it suggests what contract types are most appropriate and then gives an example of when they are used correctly and incorrectly. This is based on data-driven analysis.”

Lord noted that the Pentagon is also readying to release a final version of its middle-tier acquisition authority, which is currently in an interim test period to understand how programs could use the rule to more rapidly move prototypes to fielding.

“We are in the final stages of publishing the middle tier of acquisition policy. This pathway enables program managers to prototype or field mature technology in an operational environment within five years. Since our pilot started 18 months ago, we have gone from zero middle-tier programs in November 2018 to over 50 middle-tier programs today. We’re delivering military utility to warfighters years faster than the traditional acquisition system,” Lord said.

A final policy model for the new CMMC standards will be released in January, following a draft version that was dropped in September and received over 3,000 public comments, according to Lord.

CMMC is intended to improve supply chain security by assigning vendors a cyber security certification on a five-point scale, and establishing minimum cyber assurance levels for all future programs. 

“When we look at cyber security standards, I believe it is absolutely critical to be crystal clear as to what the expectations and measurements are, what the metrics are and how we will audit against those,” Lord said. “Our primes understand this. They understand that this is not a trade-off like a cost, schedule and performance. There is an absolute minimum level to be achieved. However, it is tailored to the needs of the system and it isn’t one-size-fits-all.”

Officials previously detailed plans to roll out CMMC in RFIs by June and RFPs by fall 2020 (Defense Daily, Nov. 4). 

The Pentagon will include CMMC in new contracts on a rolling basis based on priority, according to Lord, to avoid creating a bottleneck effect as companies continue to assess their supply chain to ensure compliance. 

Lord confirmed that the department is looking to bring in multiple non-profit groups to serve as third party evaluators of vendors’ cyber standing, with a decision to be made on those organizations by the end of January.