As the Pentagon moves forward with the rebooted version of its Cybersecurity Maturity Model Certification (CMMC) effort, the department has shifted responsibility for the program from its acquisition and sustainment (A&S) office to the office of the chief information officer.

The department said the move to realign CMMC 2.0 with the CIO’s office is intended to “consolidate industry-related cybersecurity programs under common leadership and direction” as it pursues implementation of the future cyber security contracting standards.

Mr. John Sherman, then the acting Department of Defense chief information officer, participates in a virtual panel with Billington Cybersecurity at the Pentagon, April 15, 2021 (DoD photo by Chad J. McNeeley)

“I’d like to highlight the great work by A&S to establish the CMMC program,” DoD CIO John Sherman said in a statement. “As we realign responsibility for the program, it’s important to note that we will continue to work closely with A&S on this program.”

CMMC Director Stacy Bostjanick and five other civilian officials will move in the transition and be realigned under the deputy CIO for cyber security “to increase the program’s integration with other Defense Industrial Base Cybersecurity programs,” according to Sherman.

The Pentagon rolled out CMMC 2.0 in November after a nine-month review process of the original effort, with the new model reducing the number of tiers of compliance from five to three and allowing for more self-assessment opportunities on certain types of programs (Defense Daily, Nov. 4).

The realignment announcement arrives as DoD’s CIO office has submitted proposed changes to the Defense Federal Acquisition Regulation Supplement (DFARS) rule-making process for implementing CMMC 2.0 “to ensure maximum collaboration on these requirements,” the department noted. 

While the rulemaking process to implement another interim CMMC policy may take nine to 24 months, the Pentagon has said it’s looking at providing incentives for contractors to voluntarily obtain a CMMC certification in the interim period.

Officials leading the CMMC program’s accreditation body said in December the assessment process to certify third-party auditors is likely to begin again early this year before voluntary cyber security assessments can restart (Defense Daily, Dec. 22).