WASHINGTON — The Department of Defense has outlined what contracts will initially fall within its Cybersecurity Maturity Model Certification.
The CMMC is a tiered cybersecurity framework that grades companies on a scale of one to five. A score of one designates basic cyber hygiene and a five represents advanced hygiene.
Top officials at the DoD have said the process will not be retroactive, and as part of the rollout, it will seek to pilot contracts before all contracts will feature it going forward.
In fiscal 2021, DoD will begin to pilot the implementation of CMMC requirements for level 3, the basic standard requiring good cyber hygiene, focusing on protection of controlled unclassified information and below on select new acquisitions.
The pilot contracts announced Dec. 15 include:
- Integrated Common Processor (Navy)
- F/A-18E/F Full Mod of the SBAR and Shut off Valve (Navy)
- DDG-51 Lead Yard Services / Follow Yard Services (Navy)
- Mobility Air Force Tactical Data Links (Air Force)
- Consolidated Broadband Global Area Network Follow-On (Air Force)
- Azure Cloud Solution (Air Force)
- Technical Advisory and Assistance Contract (Missile Defense Agency)
DoD will continue to work with the Army and other defense agencies to identify and approve additional CMMC pilots that fit within the criteria, the announcement said.
Contract awardees for the pilots must achieve the required CMMC level at the time of award and flow down the appropriate requirement to subcontractors, DoD said.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.