The Pentagon on Tuesday published the interim rule for its new Cybersecurity Maturity Model Certification (CMMC) contracting standards, opening up a 60-day period for comments before it goes into effect on Nov. 30.
The interim rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) is the start of the Pentagon’s five-year phased roll-out to include CMMC standards in all contracts by October 2025.
CMMC is intended to improve DoD’s supply chain security by assigning vendors a cyber security certification on a five-point scale, with the phased rollout plan expected to begin with 10 pilot programs.
“We needed to level set a cyber security standard here in the DoD so that we could ensure that every one of our vendors was set up for success,” Katie Arrington, the department’s lead for CMMC, said during the virtual ComDef conference on Tuesday.
Arrington said the five-year period to fully implement the rule is aimed at ensuring all vendors in the supply chain have ample time to get a third-party CMMC audit for their company.
Ellen Lord, the Pentagon’s top acquisition official, said last month the department has started its first CMMC pathfinder, assessing an existing Missile Defense Agency contract, with plans to begin expanding pilot program efforts over the next several months (Defense Daily, Aug. 17).