For contractors seeking CMMC certification, start with a self-check, DOD says

Get ready for your assessment before you get it, a DOD official warned contractors. In the coming years, all will need a CMMC certification to win an award.
Pentagon, Department of Defense, DOD
(DOD / Lisa Ferdinando)

The Department of Defense is imploring contractors to get ready for Cybersecurity Maturity Model Certification requirements in contracts, and for now, they’ll have to do that on their own.

There are no companies yet officially accredited to do the assessments needed for a contractor to receive an award. That means most of the work to test network security and comply with the new standards will fall on contractors themselves, at least for now, said Stacy Bostjanick, a top official in the DOD’s office running the CMMC program.

Bostjanick said she anticipates that by early summer, a handful of companies will have earned the accreditation needed to audit contractors’ networks for official assessments under the new five-tiered CMMC model.

“Today as we sit here, there is not a [Certified Third Party Assessor] that is ready to come out to your company,” Bostjanick said during AFCEA NOVA’s IC IT day.


The balance is a tricky one between the DOD, which will put CMMC requirements into its contracts, and the CMMC Accreditation Body (CMMC-AB), the third-party entity that issues the accreditations to assessors. The AB needs to work fast enough to meet DOD’s timeline to ensure there is enough of a supply of assessors to meet the demand of the department’s roughly 300,000 contracts that will eventually need an assessment. To ensure there isn’t a crunch on the market, the DOD is phasing its rollout slowly, with only 15 contracts anticipated to have CMMC requirements in fiscal 2021.

Bostjanick recommended contractors work based on the public CMMC model the DOD released a year ago to start ensuring they are up to standards. For many small businesses without a full-time cybersecurity staff, that may require getting outside help.

The AB has already started giving its stamp of approval to consultants and provisional assessors that can help companies get ready for assessments. While it’s not required CMMC consultants get a “registered practitioner” certification from the AB (and pay the requisite $500), AB members have said their stamp of approval lends credibility.

There have been several instances of companies overselling their ability to provide CMMC services, Bostjanick and others have pointed out. With the uncertainty of the process and looming deadlines, opportunities have emerged for cybersecurity companies looking to take advantage and make fast cash off of the program. But Bostjanick implored all DOD contractors to keep their eyes on the official list of CMMC assessors and assessment organizations: the AB’s marketplace.

The good news for companies that plan to bid on the initial pilot contracts that will include CMMC requirements is that the AB will put those contractors “at the front of the line” to get certified, Bostjanick said.


“It’s going to be a select group,” she said of the initial pilot contracts, most of which have been announced.

Latest Podcasts