JUST IN: Pentagon Expects 7,500 Companies CMMC Certified by 2021
The Defense Department anticipates that by next year 7,500 companies in its industrial base will hold certifications that they meet new cybersecurity requirements, a senior official said July 22.
The Cybersecurity Maturity Model Certification version 1.0 requirements are part of the Pentagon's push to protect industrial base networks and controlled unclassified information from cyber attacks. The CMMC rules will require contractors to be certified by third-party auditors, which will ensure that contractors are adhering to certain standards. Organizations will be required to meet different levels of security requirements depending on the type of work they are doing, with level 1 being the least burdensome and level 5 the most stringent.
An “estimated 7,500 companies will be certified in 2021,” Katie Arrington, chief information security officer in the office of the undersecretary of defense for acquisition and sustainment, said during a webinar hosted by cybersecurity company Celeruim “That doesn't seem like a lot but if you think about the interconnectivity of the [defense industrial base] it's a certification that's good for all DoD contracts for three years.”
By 2026, all solicitations are expected to include CMMC standards that companies must meet if they want to do business with the Pentagon.
Tommy McDowell, general manager at Celerium, noted that the 7,500 goal means the department is looking to move quickly and that companies should start preparing to implement CMMC regulations now as the department prepares to roll out requests for information and requests for proposals that include the new requirements .
“That is a pretty big number,” McDowell said. “That's 7,500 companies, not 7,500 contracts. So, seeing how we're beginning this fall with some of the initial RFIs and RFPs, maybe we'll have a contract [with the standards baked in] awarded by the end of the year. More than likely it will be January of 2021.”
Despite the ongoing COVID-19 pandemic, the Pentagon still plans to release requests for proposals that include CMMC requirements this year. Before that happens, a formal rule change in the Defense Federal Acquisition Regulation Supplement, or DFARS, to enforce the new standards needs to be completed, Arrington said.
“The DFAR rule is getting ready to be released for a public comment period. There will be a 60-day period where the public can comment on the model on anything that they want. And then after that we'll ensure we've adjudicated all those comments and concerns and then they will publish the rule,” she said. “It will go into effect 30 days after it's published, and then you will actually start seeing it in RFPs.”
Arrington said she still expects to have CMMC requirements in solicitations that are set to be released in the September-October time frame. Officials anticipate that other government agencies and organizations will adopt a similar cybersecurity model in the coming years.
“I think that five years from now, it's part of a national standard, it's part of how we do business,” she added.