A sneak peek at CMMC

The Defense Department is preparing to release the final version of its unified cybersecurity standard, which could come later this week.

Katie Arrington, chief information security officer for DOD acquisition policy, previewed more details of the Defense Department's timeline for implementing the final version of Cybersecurity Maturity Model Certification program at a Jan. 28 event hosted by NeoSystems and law firm Holland and Knight.

DOD expects to have at least 15 contracts to have the CMMC requirements and 1,500 certified contractors by fiscal 2021. More than half of those would be at level 1, according to presentation documents. That total number is expected to balloon to almost 48,000 by fiscal 2025.

The number of contracts with CMMC requirements will, theoretically, explode as well with 75 contracts including it by fiscal 2022, 250 contracts by 2023 and 479 contracts in 2024, according to the DOD presentation documents.

The CMMC Accrediting Body, an independent, not-for-profit group responsible for development assessment standards and training, is slated to deliver a draft of "CMMC 101" training in February.

Ty Schieber, the CMMC Accrediting Body chair, told FCW following the event that "solidification of schedule will occur once we get the relationship codified" via memorandum of understanding and "mutually agree upon what we can do and what that means in terms of hitting those guidelines."

According to the DOD documents, that memo is to be signed in February and is still listed as "to be determined."

Schieber said the CMMCAB officially formed as a business entity over the weekend and has selected a board of directors. By next week, committees will be formed.

"We formed as a business entity two days ago. We now have a board of directors. So what will follow in short order, like next week is establishing the committees that are led by board directors," Schieber said, adding that pathways exploring accreditation, certification, training, infrastructure and assessment operations would be considered in the process.

DOD is also in the initial planning stages for its CMMC databases and infrastructure and plans to launch a pathfinder effort in March with beta testing in July -- when the first requests for information are expected, Arrington showed in the presentation.

"In each iteration of the versions when we've gone out, we've done pathfinders [to look at] how long is it actually taking for someone to come in who's never seen the model actually run through an assessment," Arrington told reporters following the event. "We've been doing that the entire process, so we have a pretty good understanding of how long it takes to go forth with a certification."

Pathfinder testing for CMMC implementation, currently in the planning stage, will commence with a select group of defense industry base companies in March, according to the documents.

About the Author

Lauren C. Williams is senior editor for FCW and Defense Systems, covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at [email protected], or follow her on Twitter @lalaurenista.

Click here for previous articles by Wiliams.


  • Workforce
    White House rainbow light shutterstock ID : 1130423963 By zhephotography

    White House rolls out DEIA strategy

    On Tuesday, the Biden administration issued agencies a roadmap to guide their efforts to develop strategic plans for diversity, equity, inclusion and accessibility (DEIA), as required under a as required under a June executive order.

  • Defense
    software (whiteMocca/

    Why DOD is so bad at buying software

    The Defense Department wants to acquire emerging technology faster and more efficiently. But will its latest attempts to streamline its processes be enough?

Stay Connected