Pushing back on industry criticism, a top Pentagon tech official made clear today that the Defense Department’s (DoD) Cybersecurity Maturity Model Certification (CMMC) policy exists because defense contractors failed to meet earlier standards – and that CMMC is here to stay whether contractors like it or not.
The Pentagon in October 2024 released its final rule for the CMMC program that requires Defense Industrial Base (DIB) contractors and subcontractors to implement necessary security measures for Federal contract information and to introduce new security requirements for controlled unclassified information related to specific priority programs.
Since its introduction, CMMC has faced criticism from industry leaders and lawmakers who argue that the requirements place a heavy burden on companies, especially smaller firms with limited resources.
Katie Arrington, who is performing the duties of the DoD chief information officer, responded forcefully to that criticism today at the UiPath Public Sector Summit in Washington, D.C.
“If industry had complied with [National Institute of Standards and Technology] Special Publication 800-171, CMMC wouldn’t be so hard,” Arrington said.
After finding widespread noncompliance with NIST SP 800-171 across the DIB, DoD introduced interim rules for the CMMC program in 2020 to standardize cybersecurity practices. Facing backlash over cost and complexity, the department released a streamlined version – CMMC 2.0 – in 2021 to ease the burden while maintaining core protections.
According to Arrington, the review revealed that many DIB contractors had Plans of Action and Milestones that wouldn’t bring them into full compliance until 2099. Given the DIB’s critical role in national security, she stressed that compliance with CMMC requirements is nonnegotiable.
“The business of defense is not something we should take lightly,” Arrington said. “If it’s too hard, get out of the business.”
She further emphasized that the policy is more than just a framework – “It’s a complete cultural shift.”
“I want you to adapt the culture of zero trust, I want you to adapt the culture of cybersecurity. Everything should be built on security,” Arrington said.
Despite her forceful advocacy, CMMC has yet to be fully implemented in contracts. After several revisions and lengthy delays, DoD is aiming to enforce the new requirements by mid-year 2025. However, CMMC now faces further regulatory setbacks due to the President’s deregulatory efforts.
Still, the DoD’s CMMC team remains confident that the program is inevitable for the department.
“We’re working through that … to make sure that we are protecting ourselves, we’re going to have to work our way through that,” Stacy Bostjanick, director of DIB cybersecurity in DoD’s Office of the CIO, said at a separate event last month.