Pentagon Announces Incorporating CMMC

Pentagon Announces Incorporating CMMC

Cyber security Maturity Model certification is a certification procedure developed by the department of defense to certify contractors have controls over protecting sensitive data.

Why CMMC in Federal work?

There are more Contractors working for the Federal government and handling different projects. Hence if someone tries to breach the security of these contractors, government information is directly at risk. There can be asymmetrical threats, that are economic, defense, nation-state, terrorist and criminal to insider threats. There are also threats from ownership.

To secure this vulnerability, the government is bringing a new model to be followed by all contractors, the CMMC model, which will address such issues and give better cybersecurity to government information.

Recently there have been attacks like Ransomware attacks, targeting states and federal agencies where the size and number have seen a great increase lately.

Mitre delivered an Uncompromised report: Mitre issued a security report addressing supply chain security issues, particularly a cyber issue. The report clearly determines, more action is needed to be taken to avoid the situation and risk that the government would be paying for the development and delivery of something that has already been compromised.

Since then, more probations are being added to address cybersecurity. Keeping all this in consideration, the department of defense decided to proceed with CMMC and maintain a sense of hygiene.

Cyber security Maturity Model Certification Process will set up 5 levels:

Level 1: is a foundational initial level. This has draft rules considering basic Cyber Hygiene

Level 2: an intermediate cyber hygiene

Level 3: Intermediate Cyber hygiene is followed at this level ( A171)

Level 4: Defining Proactive

Level 5: Advanced and Progressive


Implementation of CMMC in The Pentagon

Not just security but this will help govt to assess the risk program. After the implementation of CMMC, govt will be including in Request for Information, Request for Proposal, Evaluation, and warrant.

Department of defense chief security officer, Katie Arrington, recently has been going on and giving presentations on CMMC and how this has to be rolled out.

Katie Arrington, the special assistant to the Assistant Secretary of Defense for Acquisition for Cyber in the Office of the Under Secretary of Acquisition and Sustainment in DoD, has stated

“If we were doing all the necessary security controls, we wouldn’t be getting exfiltrated to the level that we are. We need to level set because a good portion of our defense industrial base doesn’t have robust cyber hygiene. Only 1 percent of [Defense Industrial Base (DIB)] companies have implemented all 110 controls from the National Institute of Standards and Technology. We need to get to scale where the vast majority of DIB partners can defend themselves from nation state attacks.”

As announced by DoD, CMMC body will be non-profitable. It is going to be incorporated soon. After this incorporation, the Department of Defence will step in to understand the terms of the program. As for now, they have identified, to have 13members in the governing body. Ty Achiever has been assigned as Head of the department (Governing body). Governing team members will be from Academia, Defense industrial base and also from cybersecurity. Training of certifiers will take place after June.

Updates For Contractors

Once the certifiers are in place they will roll out certification of contractors. The number of certifiers are not yet determined, this is under process. This has also brought in a new opportunity for people to become new contractors.

Contractors need to be certified by the central body. Starting in June, the governing body will issue a request for information.

It is perceived that by September, a Request for proposal will be issued. Contractors need to be ready for getting the certificate.

DoD is conducting an assessment on contractors status , considering security for now. DOD has said the costs for CMMC will be allowable but the boundaries for the allowed costs are still in discussion.

Pending Queries onCMMC Implementation

This hasn’t been established yet, how far FAR and DFARs will be addressed in CMMC and now contractors will be defined on CMMC levels. Also, levels of subcontractors have not been defined yet.

FAQ’s are still being considered and are listed on DoD website



Contacting LIFARS is Your Next (First?) Step for Handling Cyber Incidents