The Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) program is under internal review at the Pentagon with an eye toward “potential improvements” to implementation of the program, a DoD spokesperson confirmed to MeriTalk.
The CMMC program aims to enforce cybersecurity standards of varying levels up and down the defense industrial base (DIB) supply chain. As CMMC is still in the pilot program stages and, with new leadership at the agency, DoD is making sure it will adequately live up to the goals of the program.
“In light of increasingly frequent and complex cyber intrusion efforts by adversaries and non-state actors, the Department remains deeply committed to the security and integrity of the defense industrial base,” agency spokesperson Jessica Maxwell said in a statement. “As is done in the early stages of many programs, the DoD is reviewing the current approach to CMMC to ensure that it is achieving stated goals as effectively as possible while not creating barriers to participation in the DoD acquisition process.”
The CMMC requirements are early in the process of being rolled out to DoD contracts. Katie Arrington, Pentagon CISO for acquisition and sustainment, has said CMMC would be required in all DoD contracts by FY 2026. At a virtual event Wednesday, Arrington did not discuss the internal review when talking about the program.
“As this internal assessment is ongoing, we are not able to provide further detail,” Maxwell said. “This assessment will be used to identify potential improvements to the implementation of the program.”
It is currently unknown how the internal review would affect this timeline or others associated with the CMMC program. Earlier this year, Arrington said CMMC requests for proposals would release starting in mid-March. The DoD also planned to evaluate the performance of its current CMMC pilot programs in late 2021.
The CMMC Accreditation Body (CMMC-AB) – which trains assessors to certify contractors as CMMC compliant – just named Matthew Travis its first CEO this week. Keith Nakasone, a General Service Administration acquisitions official, previously said the agency was looking to spread the model to other Federal agencies. It remains unclear whether the internal DoD review will affect those plans.