In a reorganization of responsibilities, the Department of Defense (DoD) has put the Cybersecurity Maturation Model Certificate (CMMC) program under the oversight of the DoD’s Office of the CIO (OCIO), a shift from being the responsibility of the Under Secretary of Defense for Acquisition and Sustainment (A&S), according to a Feb. 3 release.
The move was directed by Deputy Secretary of Defense Kathleen Hicks, and the move brings the six civilians working on the program team under the oversight of DoD CIO John Sherman. The program was initially overseen by Under Secretary of Defense for A&S Katie Arrington, who has been on leave since June 2021.
“I’d like to highlight the great work by A&S to establish the CMMC program,” Sherman said in the announcement. “As we realign responsibility for the program, it’s important to note that we will continue to work closely with A&S on this program.”’
After a lengthy internal review of the program, DoD released CMMC 2.0 in November. The updated program simplified the cybersecurity requirements for contractors, as well as reduced the number of levels of maturity from five to three.
“The CMMC team, led by Stacy Bostjanick, will be aligned under the Deputy CIO for Cybersecurity to increase the program’s integration with other Defense Industrial Base (DIB) Cybersecurity programs,” Sherman said. “We are moving out in the coming weeks on the rulemaking process and look forward to continuing critical collaboration with industry stakeholders.”
DoD said the move was made to promote synergy across the department and DIB and consolidate industry cyber programs under the common leadership of the CIO. DoD said OCIO would be proposing changes to the Defense Federal Acquisition Regulation Supplement rule-making process “in the coming weeks.”