According to a recent statement by Katie Arrington, the Pentagon’s CISO for acquisition and sustainment, three Defense Federal Acquisition Regulation Supplements (DFARS) for the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) will soon be permanent rules. (MeriTalk April 15, 2021)

The CMMC program enforces cybersecurity standards in the Defense Industrial Base (DIB) supply chain. The certification requirements will be part of all DoD contract requirements by 2026. (ibid)

The soon-to-be-permanent rules are:

  • DFARS Provision 252.204.7019 requires contractors to complete self-assessments and upload them into the DoD’s Supplier Risk Performance System (SPRS)
  • DFARS Clause 252.204.7020 takes place upon contract completion, allows DoD access to systems, facility, and personnel if DoD assesses the necessity due to risk
  • DFARS Clause 252.204.7012 requires all contractors to maintain adequate security of defense information that is “processed, stored or transmitted” on their network (ibid)

According to Arrington, 300,000 contractors need to get CMMC certified within the next five years. She said, “we have thought carefully about this, and making cybersecurity foundational to acquisition wasn’t something that we just thought “Let’s do it one time.” It has to be an enduring capability.” (ibid)

Questions concerning CMMC certification? Give us a call.