Mandatory review of DOD's compliance on CMMC is delayed

The Pentagon (Photo by Ivan Cholakov / Shutterstock) 

The Defense Department has asked for more time to deliver an assessment to Congress about whether its components comply with the unified cybersecurity standard for defense contractors known as Cybersecurity Maturity Model Certification program, FCW has learned.

A provision in the 2021 National Defense Authorization Act requires DOD's CIO and the commander of the Joint Forces Headquarters-Department of Defense Information Network to review each DOD component for cyber hygiene and assess compliance with CMMC.

The report is supposed to identify a "component's CMMC level and implementation of the cybersecurity practices and capabilities required in each of the levels of the CMMC framework," according to the legislation.

Those components that don't meet CMMC level 3 requirements, also referred to as "good cyber hygiene," will have to "implement relevant security measures to achieve a desired CMMC or other appropriate capability and performance threshold prior to March 1, 2022."

The report stemming from that review was due to Congress on March 1, but has been pushed to June, according to a Hill aide familiar with the matter.

The CMMC program, a unified standard that defense contractors handling controlled unclassified information will have to meet to bid on contracts, is expected to enter the pilot stage with select contracts later this year; full implementation for all defense contracts is planned for 2025.

"The Cybersecurity Maturity Model Certification will continue to be a focal point," for ranking member Sen. Jim Inhofe (R-Okla.) and Cybersecurity Subcommittee ranking member Sen. Mike Rounds (R-S.D.)," a spokesperson for Senate Armed Services Committee Republicans told FCW. "One area where the committee is particularly concerned is balancing the cybersecurity of the defense industrial base with making sure the burden on small- and medium-sized businesses isn't too great."

DOD has not yet responded to a request for comment.

The Defense Department is also running a separate review of supply chain and risk management programs, including CMMC, led by Stacy Cummings, DOD's acting acquisition chief.

"In light of increasingly frequent and complex cyber intrusion efforts by adversaries and non-state actors, the Department remains deeply committed to the security and integrity of the defense industrial base," DOD spokesperson Jessica Maxwell told FCW. "As is done in the early stages of many programs, the DOD is reviewing the current approach to CMMC to ensure that it is achieving stated goals as effectively as possible while not creating barriers to participation in the DoD acquisition process….This assessment will be used to identify potential improvements to the implementation of the program."

News of this internal review was first reported in FedScoop.

About the Author

Lauren C. Williams is senior editor for FCW and Defense Systems, covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at [email protected], or follow her on Twitter @lalaurenista.

Click here for previous articles by Wiliams.


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected