DOD issues draft of new contractor cyber standards

A draft of the Cybersecurity Maturity Model Certification (CMMC) is now live, and the Pentagon wants feedback through Sept. 25.
Pentagon, Department of Defense, DOD, federal IT, cybersecurity, Washington, D.C.
The Air Force Memorial and the Pentagon in Arlington, Virginia. (REUTERS / Joshua Roberts)

The Department of Defense has issued long-awaited cybersecurity standards in draft form for contractors who work with the Pentagon’s sensitive data.

Version 0.4 of the Cybersecurity Maturity Model Certification (CMMC) is now live, giving contractors a glimpse into the sort of cybersecurity standards they will need to meet if they want to work on contracts that handle controlled but unclassified information.

Ultimately, CMMC is an effort to secure DOD‘s extremely complicated and spiderwebbed IT supply chain from the largest contractors to the smallest.

The new standards have a five-level system that combines guidance currently in place from the National Institute of Standards and Technology with new input from the private sector and academia, including Johns Hopkins Applied Physics Lab and Carnegie Mellon Software Engineering Institute. Third-party commercial organizations will conduct certifications for contractors.


The draft represents “the midpoint of development and we are requesting feedback,” according to an informational website on the model. DOD’s Office of the Under Secretary of Defense for
Acquisition & Sustainment is taking feedback on CMMS through Sept. 25 with the goal of issuing another draft sometime in November.

The big milestone, however, is set for January 2020, when DOD plans to issue the final framework. Then, beginning in June 2020, requests for information will include the standards as a requirement, followed by requests for proposals in the fall that year.

Ellen Lord, the undersecretary for acquisition and sustainment, at a recent press briefing said the model’s inclusion in department contracts will be a “go/no go decision.” CMMS, she explained, “establishes security as the foundation to acquisition, and combines the various cybersecurity standards into a unified standard.”

Creating cybersecurity standards for contractors has been a top priority for the department in recent years.

Earlier this year, DOD CIO Dana Deasy described how tier-one prime contractors aren’t the big concern. “It’s down when you get to the tier-three and the tier-four” subcontractors.


“Where the issue breaks down is that as you go down to those various subcontractors, do they understand, [are they] equipped, have the knowledge and the capabilities to defend themselves, and what is it we should be doing more to help them learn how to defend themselves at those tiers?” Deasy said.

Similarly, in 2017, DOD introduced a regulation that requires all vendors who do business with the department to more safely guard “covered defense information” that is transmitted to or stored in their systems or networks for contracted work.

Katie Arrington, the defense official in charge of the CMMC roll out, emphasized the need for industry feedback in June as part of her “listening tour” in developing the standards.

It is not a ‘me’ thing, it is a ‘we’ thing,” Arrington said then at a Professional Services Council conference.

The “vast majority” of DOD contractors have ad hoc and inconsistent cybersecurity practices, Arrington said.


“We should be infuriated about what has happened to our data,” she said.

Latest Podcasts