The Department of Defense (DoD) will pilot the enforcement of its Cybersecurity Maturity Model Certification (CMMC) program on seven upcoming contracts that DoD expects to award in late 2021, setting the stage for the first CMMC audits, the department announced in a Dec. 15 news release.
The announcement heralds the first contract opportunities where prospective partners will need to have their cybersecurity posture assessed and graded at CMMC Level 3 in order to successfully win their bid. The seven pilot contracts and their corresponding agencies are:
- Navy: Integrated Common Processor;
- Navy: F/A-18E/F Full Mod of the SBAR and Shutoff Valve;
- Navy: DDG-51 Lead Yard Services / Follow Yard Services;
- Air Force: Mobility Air Force Tactical Data Links;
- Air Force: Consolidated Broadband Global Area Network Follow-On;
- Air Force: Azure Cloud Solution, and;
- Missile Defense Agency: Technical Advisory and Assistance Contract
“For approved pilots, all offerors will undergo the appropriate CMMC assessment, and awardee must achieve the required CMMC level at time of contract award, and flow down the appropriate CMMC requirement to subcontractors. This allows for additional time to meet the CMMC certification requirement,” DoD noted.
These contracts are the start of CMMC’s implementation, which is set to occur over the next five years. Once in place, almost all DoD vendors will need to have CMMC certifications in place and reassessed every three years, and each contract will have a required CMMC level that contractors will need to meet before submitting an eligible bid.
While DoD has identified seven initial pilot contracts, they are likely not the last ones to be designated. During a call with reporters at the AFCEA TechNet Cyber event in December, DoD officials said they expected 15 CMMC pilot contracts by the end of 2021, and the press release noted that the department is working with the Army and other defense agencies to “identify and approve additional candidate CMMC pilots.”