The Pentagon’s final rule for its new Cybersecurity Maturity Model Certification (CMMC) contracting standards is expected to go into effect next spring, with the department working with the services now to select the first 10 to 15 programs to include the requirement, an official said Tuesday.

Stacy Bostjanick, DoD’s director of CMMC policy, also told attendees during a virtual Defense Acquisition University/George Mason University event the initial group of contracts will require no higher than a “Level 3” on the five-point CMMC scale, with most stringent requirements only to be introduced in fiscal year 2022. 

“What will happen is you will see the RFIs (Request for Information) and RFPs (Request for Proposals) come out with verbiage that says ‘this is going to be a CMMC implementation program.’ You will be required, if you want to propose on that, at the time of award to have the CMMC level that would be required in the statement of work,” Bostjanick said.

Last week, DoD released an interim rule for CMMC amending the Defense Federal Acquisition Regulation Supplement (DFARS) and opening up a 60-day period for comments before the rule goes into effect on Nov. 30 (Defense Daily, Sept. 29). 

“Come November 30, we can implement CMMC on various projects across DoD before the rule becomes final. And the rule should become final in Spring 2021,” Bostjanick said. “By 2026, [CMMC] will be required in all contracts except for [commercial off-the-shelf] products.”

CMMC, which is intended to improve DoD’s supply chain security by assigning vendors a cyber security certification, will be rolled out over the next five years to give industry ample time to get a third-party audit of their security level. 

Bostjanick said after fiscal year 2021 CMMC will ramp up to 75 programs, then 250 programs the following year, before expanding to 459 programs in the final two years of the phased rollout. 

“Not all suppliers in that supply chain will necessarily have to be Level 3 just because the program is Level 3. You’re going to have to track and map the [Controlled Unclassified Information] (CUI) as it flows down through the supply chain. Because the guy at the end of the day who builds the bolt or one portion of the weapon system doesn’t necessarily have to have CUI,” Bostjanick said.