Fresh draft of DOD contractor cybersecurity standards coming next month

Lord also detailed a first event next month focused on drones for the department's new Trusted Capital Marketplace.
Undersecretary of Defense for Acquisition and Sustainment Ellen Lord
Undersecretary of Defense for Acquisition and Sustainment Ellen M. Lord speaks to members of the press during a press briefing at the Pentagon. (DoD /U.S. Army Staff Sgt. Nicole Mejia)

The Department of Defense will publish the second draft of its newly created Cybersecurity Maturity Model Certification early next month.

Undersecretary for Aquisition and Sustainment Ellen Lord said in a press conference that version 0.6 of the CMMC will be released for comment the first week of November.

“We are looking to roll CMMC out in a strategic manner, and will focus on our critical programs and technologies,” Lord said.

DOD issued version 0.4 of the framework, the first publicly released, last month. CMMC is meant to secure the defense supply chain by requiring contractors of all sizes to meet cybersecurity standards set out as a basic requirement in contracting language.


Already, DOD has received more than “2,000 comments, which are being reviewed and used to help tailor the final model,” Lord said.

The official framework, version 1.0, will drop January 2020, Lord said. Then, the first requests for information to include the CMMC language will come June 2020, with the final request for proposals later that fall, she said.

“We in the DOD will continue to work with the defense industrial base to ensure that the supply chain and the interested parties are informed, prepared and properly positioned,” Lord said.

DOD is also searching for a nonprofit entity to serve as the accreditation body for the CMMC program.

Trusted Capital Marketplace drone event next month


Next month, Lord’s team will also host the first event around its new Trusted Capital Marketplace — what she called a ” public-private partnership that will convene trusted sources of private capital with innovative companies critical to defense industrial base and national security.”

The Nov. 13 event, co-sponsored by Texas A&M University, will focus on small unmanned aerial systems (UAS) and counter-UAS technologies.

The university, Lord said, will host a website taking submission applications to join the event, which will have “about 75 slots open for industry, and then slots open for capital providers” given out on a “first-come, first-serve basis.”

During the press conference, Lord also detailed the Pentagon’s current use of waivers for military services to use DJI brand drones that are otherwise banned by the department over cybersecurity concerns and allegations of links to the Chinese government. She said, yes, the services do grant waivers, but the DJI drones are not used in the field.

“The reason that we write some waivers for these is to have them used on ranges, in highly controlled conditions to test our counter-UAS capability so those are used as targets,” she said. “We are not authorizing utilization of Chinese drones out in the field.  We are using them for targets.”

Latest Podcasts