CMMC is under an internal DOD review
One of the most consequential programs in defense contracting is getting a second look by the Biden administration.
The Cybersecurity Maturity Model Certification (CMMC) — the new cyber standards all defense contractors will need to adhere to to bid on contracts — is under an ongoing “internal assessment,” according to a Department of Defense spokeswoman.
The DOD did not provide details on the review but said it was routine for a high-impact program like CMMC.
“As is done in the early stages of many programs, the DoD is reviewing the current approach to CMMC to ensure that it is achieving stated goals as effectively as possible while not creating barriers to participation in the DoD acquisition process,” spokeswoman Jessica Maxwell said in a statement to FedScoop.
While the program is over a year into development, new brass within the Pentagon could choose to make some big changes to what has been program loaded with controversy since inception. Many companies have expressed concern over the cost to adhere to the new CMMC standards, which require them to pay for third-party assessors to inspect their networks against a five-tiered set of controls. If a contractor doesn’t meet the CMMC level required in a contract, it won’t be eligible to bid on it.
“It is now timely to consider what we might want to do differently in the implementation of CMMC,” said Robert Metzger, the head of the Washington, D.C. offices of the Rogers Joseph O’Donnell law firm and co-author of several reports on supply chain cyber threats.
While there is uniform agreement on the need to increase the overall cybersecurity of the defense industrial base, the program has been criticized in its rollout. The initial decision to push much of the implementation responsibility of CMMC to a third-party volunteer organization — the CMMC Accreditation Body — caused some backlash. Eventually, two leaders on the board resigned over a perceived “pay-to-play” marketing scheme.
Metzger suggested the new administration could make changes to the relationship the government has with the CMMC Accreditation Body and what responsibilities it gives to the third-party group. He also anticipates the review could take a look at other issues like staffing of the program management office for CMMC, the interim final rule Defense Federal Acquisition Regulation for CMMC and funding for the program’s implementation.
“It would not surprise me at all if the new administration would want to consider very carefully how best to get this objective achieved,” Metzger said.