The Pentagon’s new cyber security requirements for contracts will be rolled out in about 10 programs this year before being included in all defense acquisition efforts starting in fiscal year 2026, officials said.

Defense Department officials detailed the final version of the new Cybersecurity Maturity Model Certification (CMMC) on Friday and addressed concerns the new requirements could place a burden on smaller companies looking to meet the more stringent security criteria.

Under Secretary of Defense for Acquisition and Sustainment Ellen M. Lord, Kevin Faheny and Katie Arrington hold a press briefing at the Pentagon, Washington, D.C., Jan. 31, 2020. (DoD photo by Navy Petty Officer 2nd Class James K. Lee)

“We have been working with industry associations, primes, mid-tier and small companies on how we can most effectively rollout CMMC so it does not cause a significant cost penalty for the industrial base,” Ellen Lord, the Pentagon’s top acquisition official, told reporters. “[CMMC] is the cost of being awarded a contract or not. This is not a trade with cost, schedule and performance. There’s a minimum standard that needs to be met, which will allow you to be compliant or not compliant”

CMMC is intended to improve supply chain security by assigning vendors a cyber security certification on a five-point scale, and Lord added she believed the phased rollout will allow industry partners to ensure subcontractors are able to establish minimum cyber assurance levels for future programs.

Lord also noted that CMMC will not be retroactively applied to current Pentagon acquisition efforts. 

Katie Arrington, the Pentagon’s lead for CMMC, said the Pentagon is working with each of the services now to identify around 10 programs that will have Request For Information notices rolled out in June with CMMC requirements, and subsequent Request For Proposal notices in October.

The first group of pathfinder programs will include a mix of contracts that require basic cyber hygiene at Level 1 through advanced processes at Level 5, Arrington told reporters.

“We’re doing this in a very deliberate, slow rollout process. We are going to start with just a few contracts,” Arrington said.  

Arrington noted all organizations that do business with DoD will have to be certified within the next five years, and that a CMMC certification will be valid for three years at a time. 

The Pentagon has also established a CMMC Accreditation Body that will now use the final model to train organizations interested in serving as a third party auditors, also called C3PAOs.

“I believe it is absolutely critical to be crystal clear as to what expectations for cyber security are, what our metrics are and how we will audit for those expectations,” Lord said. “Conflicts of interest will be a point of emphasis in the memorandum of understanding, helping ensure auditors cannot review one’s own company, for example.”

Once the accreditation body has certified C3PAOs, companies will then be able to start scheduling CMMC assessments through a new marketplace portal.

Lord said the Pentagon received over 2,000 public comments in the months following the release of the first draft version of CMMC in September, and that she met with trade associations such as the Professional Services Council (PSC) to receive feedback on the rollout.

“The government and the contractor community must keep working together to address real and growing cybersecurity threats, and we need a robust response to protect our infrastructure, information, and supply chains,” David Berteau, president of PSC, said in a statement. “With today’s announcement, DoD has achieved a significant milestone.  PSC remains committed to the important next step of implementing the model and achieving the protections necessary.”