JUST IN: U.S. Allies Considering Adopting Pentagon’s CMMC Cybersecurity Standards

iStock photo-illustration

Foreign partners are considering adopting new cybersecurity standards that industry must eventually adhere to if they want to do business with the Pentagon, the Defense Department’s top weapons buyer said March 4.

Cybersecurity Maturity Model Certification version 1.0, or CMMC, was released in January. The aim of the initiative is to prod the defense industrial base to better protect its networks and controlled unclassified information against cyberattacks and theft by competitors such as China. The lower tier of the supply chain is of particular concern to Pentagon officials.

The specific standards that must be met will depend on the program and work that a company will be doing. The level 1 standards will be the least demanding and level 5 the most burdensome.

Third-party assessors, known as C3PAOs, will be trained and approved by a new accreditation body. They will have to certify that a company has met the CMMC standards before it can win contracts.

The new model will be phased in over the next five years to give contractors time to adjust. By fiscal year 2026, all new Defense Department contracts will contain CMMC requirements that companies must meet to win the award.

Now, foreign nations are considering following in the Pentagon’s footsteps, Undersecretary of Defense for Acquisition and Sustainment Ellen Lord said at the annual McAleese & Associates defense programs conference in Washington, D.C.

“Cybersecurity threatens the defense industry, our national security as well as our partners and allies,” she said.

“The CMMC team is working with multiple countries, including Canada, the U.K., Denmark, Italy, Australia, Singapore, Sweden, Poland and the EU Cybersecurity Body,” she noted. “All of these countries and groups acknowledged the challenge we have with cybersecurity. They're looking at what is the most efficient and effective way to secure their industrial base, and there are significant conversations about perhaps adopting our CMMC. So more to come.”

Talks are ongoing through a variety of bilateral discussions, she added.

Meanwhile, the Defense Department is moving forward with its own implementation plans.

The new requirements will be included in requests for proposals for about 10 pathfinder projects later this year.

“Now that CMMC is released, we're really focusing on the remaining timeline, selecting third-party vendors to do the auditing, creating CMMC training material, rulemaking … and completing an agreement with the newly established CMMC accreditation body,” Lord said.

There will be a public hearing about the standards in late April or early May, she noted. A rule change for Defense Federal Acquisition Regulation Supplement 252.204.7012 is slated for the October timeframe. The first CMMC training course for auditors is on track to kick off in April, she said.

Lord was asked if each company in the industrial base would have to contract separately with the third-party auditors.

“That's being discussed right now,” she said, noting that defense officials will be meeting with CEOs and associations like the National Defense Industrial Association later this week.

“That's one of the topics we're talking about,” Lord said. “We're trying to simplify that for industry in general and we're also focusing on how the primes reach down through the sixth, seventh, eighth, ninth level of their supply chain. So that's being worked on right down.”

Topics: Cyber, Cybersecurity