The Pentagon (Photo by Ivan Cholakov / Shutterstock)


Mandatory review of DOD's compliance on CMMC is delayed

The Defense Department has asked for more time to deliver an assessment to Congress about whether its components comply with the unified cybersecurity standard for defense contractors known as Cybersecurity Maturity Model Certification program, Defense Systems has learned.

A provision in the 2021 National Defense Authorization Act requires DOD's CIO and the commander of the Joint Forces Headquarters-Department of Defense Information Network to review each DOD component for cyber hygiene and assess compliance with CMMC.

The report is supposed to identify a "component's CMMC level and implementation of the cybersecurity practices and capabilities required in each of the levels of the CMMC framework," according to the legislation.

Those components that don't meet CMMC level 3 requirements, also referred to as "good cyber hygiene," will have to "implement relevant security measures to achieve a desired CMMC or other appropriate capability and performance threshold prior to March 1, 2022."

The report stemming from that review was due to Congress on March 1, but has been pushed to June, according to a Hill aide familiar with the matter.

DOD spokesperson, Russ Goemaere, told Defense Systems the review was now due June 30 so the CMMC assessment "could be met by cross-walking compliance with the department's more stringent cybersecurity control standards."

The CMMC program, a unified standard that defense contractors handling controlled unclassified information will have to meet to bid on contracts, is expected to enter the pilot stage with select contracts later this year; full implementation for all defense contracts is planned for 2025.

"The Cybersecurity Maturity Model Certification will continue to be a focal point," for ranking member Sen. Jim Inhofe (R-Okla.) and Cybersecurity Subcommittee ranking member Sen. Mike Rounds (R-S.D.)," a spokesperson for Senate Armed Services Committee Republicans told FCW. "One area where the committee is particularly concerned is balancing the cybersecurity of the defense industrial base with making sure the burden on small- and medium-sized businesses isn't too great."

DOD has not yet responded to a request for comment.

The Defense Department is also running a separate review of supply chain and risk management programs, including CMMC, led by Stacy Cummings, DOD's acting acquisition chief.

"In light of increasingly frequent and complex cyber intrusion efforts by adversaries and non-state actors, the Department remains deeply committed to the security and integrity of the defense industrial base," DOD spokesperson Jessica Maxwell told FCW. "As is done in the early stages of many programs, the DOD is reviewing the current approach to CMMC to ensure that it is achieving stated goals as effectively as possible while not creating barriers to participation in the DoD acquisition process….This assessment will be used to identify potential improvements to the implementation of the program."

News that DOD was conducting an internal review was first reported in FedScoop.

This article was updated to include a statement from DOD and was first published on FCW, a Defense Systems partner site. 

About the Author

Lauren C. Williams is senior editor for FCW and Defense Systems, covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at [email protected], or follow her on Twitter @lalaurenista.

Click here for previous articles by Wiliams.

Defense Systems Update

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.