The Defense Department is creating a new unified cybersecurity framework that will be available in early 2020 and included in department solicitations by next fall, Undersecretary of Defense for Acquisition and Sustainment Ellen Lord said Aug. 26.

Speaking at a media briefing at the Pentagon, Lord announced the creation of the Cybersecurity Maturity Model Certification (CMMC) program, a collaboration with Johns Hopkins University’s Applied Physics Laboratory, the Carnegie Mellon Software Engineering Institute and industry partners.

Cybersecurity and global communication, secure data network technology, cyberattack protection for worldwide connections, finance, IoT and cryptocurrencies, planet Earth in space, elements from NASA (https://eoimages.gsfc.nasa.gov/images/imagerecords/90000/90008/europe_vir_2016_lrg.png)

“The CMMC establishes security as the foundation of acquisition and combines the various cybersecurity standards into a unified standard,” she said.

The framework will be made fully available in January 2020, and by June 2020 industry will see CMMC requirements in requests for information, Lord said. “By fall 2020, CMMC requirements will be included in request for proposals and will be a go/no go decision,” she added.

The Pentagon’s assistant secretary for acquisition, Kevin Fahey, first announced the department was working on a new cyber compliance plan this past February in Washington, D.C. (Defense Daily, Feb. 13). He described it then as a system similar to a credit score that would rate a supplier’s level of cybersecurity readiness for DoD requirements.

The Defense Department worked closely with industry associations to develop the certification program and also took lessons from the Navy, Lord said Monday. Work is ongoing on the actual implementation of the program, which will include five standard levels, she said.

“When you have a program, different subsystems can be held at different levels,” she noted. “The entire system doesn’t require a rating of a 4; different parts can have lower and then higher amounts. So if you have a hardware portion that doesn’t have a cybersecurity requirement, there won’t be much levied on that.”

The department is “extremely concerned” with supporting small businesses with this framework, and encourages those companies to reach out to industry associations and the DoD’s industrial policy team to make sure their concerns are met, Lord said. “We are trying to help people help themselves and work with us,” she said.