Sunday, July 13, 2025
The Defense Department expects to release its first contract solicitations containing Cybersecurity Maturity Model Certification requirements in the April-May timeframe, according to a Pentagon spokeswoman. The solicitations will focus on requests for proposals in development from the Army and the Air Force.
Results from agency-led reports on semiconductor and high-capacity battery supply chains will help the Biden administration identify immediate priorities around reshoring manufacturing capacity and a risk management approach in collaboration with the private sector, according to a senior intelligence official.
CMMC Accreditation Body chair Karlton Johnson says his organization is prepared to meet the demand for assessments from contractors once the first certified, third-party assessment organizations are approved by the Defense Contract Management Agency.
Tabletop exercises conducted by the National Defense Industrial Association in coordination with Pentagon cyber certification leaders found areas of improvement are needed to clarify CMMC requirements for industry around operational technology and the marking of controlled unclassified information.
The Defense Department chief information officer is exploring if changes need to be made to the Pentagon's acquisition rules to take into consideration recent National Institute of Standards and Technology guidance for advanced persistent threats and the protection of high-level assets.
The Defense Department is working on a new rule to establish a cyber regime focused on advanced persistent threats that is expected to add new regulations around levels four and five of the Pentagon's Cybersecurity Maturity Model Certification program.
Meeting the standards laid out in the Pentagon's Cybersecurity Maturity Model Certification program is a necessary start to buying down supply chain risk through establishing good cyber hygiene, but cyber experts say CMMC would not necessarily have helped contractors detect or prevent exposure to the SolarWinds attack.
The Defense Department is working with the General Services Administration's Federal Risk and Authorization Management Program team to develop a "gap analysis" that will compare the cloud services effort with the Pentagon's Cybersecurity Maturity Model Certification initiative, according to DOD's Stacy Bostjanick.
The Defense Department is expecting to release its first request for proposals containing requirements from its Cybersecurity Maturity Model Certification program in March, according to Pentagon acquisition Chief Information Security Officer Katie Arrington.
The rollout of the Pentagon's Cybersecurity Maturity Model Certification program is one of several lines of effort at the Defense Department's acquisition office that addresses supply chain risk management, according to Pentagon acquisition leaders who described the multifaceted approach in an exclusive interview.
The Defense Department's acquisition office and its partners are in the process of adjudicating comments on an interim rule implementing their Cybersecurity Maturity Model Certification program, which Pentagon leaders say will have an impact on the CMMC maturity model and assessment guides.
The Defense Department has no plans to slow down the rollout of the Cybersecurity Maturity Model Certification program, according to a senior acquisition official, who says there is "bipartisan" support to get the new structure stood up at the Pentagon.
Plans to separate the CMMC Accreditation Body's authorities to certify and train assessors is a positive sign, according to a leading defense industry association, but the trade group says they will keep a close watch on the rollout of the reorganization.
The independent accreditation body behind the Pentagon's cyber certification program will be required to separate its assessor and training programs into business units, one of the many conditions in a no-cost contract signed by the Defense Department and the new non-profit reviewed by Inside Cybersecurity.
The Defense Department is working on adjudicating comments from an interim final rule that established the Pentagon's Cybersecurity Maturity Model Certification program, which officials said Wednesday could change based on ongoing work on maturity levels four and five.
The Defense Department is planning to issue a memo outlining how the maturity levels of its new cyber certification program align with FedRAMP and other standards used by industry.
The Defense Department has announced the first round of pilot contracts that will include requirements under the Cybersecurity Maturity Model Certification program for the current fiscal year.
The Defense Department is delaying defining the "scope" of its Cybersecurity Maturity Model Certification assessments for maturity levels one and three in the first editions of its assessment guides, which assessors say will impact the ability to conduct a comprehensive audit.
The Defense Department has released two assessment guides outlining how auditing firms and their assessors will evaluate contractors who want to get certified for Cybersecurity Maturity Model Certification maturity levels one through three.
The Pentagon's approach to making cybersecurity a foundational part of acquisition is mandating new compliance requirements for the defense industrial base, which could potentially create a division between primes and subcontractors when it comes to information sharing.