DOD to use a third-party nonprofit for new contractor cybersecurity certification

The Cybersecurity Maturity Model Certification will be managed by a third-party nonprofit.
Department of Defense, DOD, Pentagon
(DoD photo by Army Sgt. Amber I. Smith)

The Department of Defense is on the hunt for a third-party nonprofit to manage the forthcoming Cybersecurity Maturity Model Certification standards that will become the new requirements for defense contractors’ cybersecurity.

The CMMC was announced last month by Katie Arrington, special assistant to the assistant secretary of defense acquisition for cyber. Arrington gave greater details on the plan in a Wednesday webcast produced by the Professional Services Council.

The new details shed light on the third-party certification system, which will be managed by a nonprofit company in the coming months. Meeting CMMC level guidelines will be a required step for contractors who wish to do business with the DOD.

“We are making security a part of that discussion,” Arrington said. “In fact, it is paramount to that discussion.”


The CMMC will have five levels to suit all contractors — from companies that manufacture boots to advanced technical contractors. By January 2020, Arrington hopes whichever third-party company is selected will begin its work for certifying and training contractors.

The new certification levels are designed to help small businesses with large innovation potential but have long struggled with cybersecurity. When nation-state actors like China and advanced persistent threats go after small businesses, “it is very hard to defend,” Arrington said.

The CMMC will also add a cybersecurity team to the Defense Contracting Management Agency. The team will respond to cyberthreats in the defense industry and try to help coordinate better practices across the public and private sector. The new team comes as top officials in the Defense Department push to consolidate redundancies across Fourth Estate agencies such as the DCMA.

Latest Podcasts