By Fiscal Year 2026, every contractor seeking to do business with the Department of Defense (DoD) will be required to have at least a Level 1 Cybersecurity Maturity Model Certification (CMMC), Katie Arrington, the Pentagon’s CISO for acquisition and sustainment, said Feb. 3.
DoD plans on rolling out 15 prime contracts including the CMMC requirement this year and scales up gradually, topping at 479 contracts in both Fiscal Year 2024 and 2025. Those plans take into account up to around 100 unique sub-contractors on each prime contract, meaning the plan is to have 1,500 CMMC accredited contractors by the end of Fiscal Year 2021, which ends Sept. 30.
“CMMC is coming to a company or a program near you,” Arrington said at Washington Technology’s CMMC webinar Feb. 3. “This is not a checklist. … Technology is something that is really great, but you need to understand the risk-reduction strategies associated with it.”
“What I would look at the CMMC as is learning the risk reduction strategies to [mitigate] putting your company, your employees, your IT at risk,” she continued. “And knowing the fact that our adversaries are working through a supply chain, they are very deliberate about it.”
Currently, the DoD is still in the process of working with its first 10 pilot programs and getting prepared to add five more this fiscal year. The CMMC-Accreditation Board (CMMC-AB), the non-profit tasked with accrediting perspective DoD contractors, is still in the stage of training enough assessors to accredit the volume of contractors DoD is seeking.
The bulk of contractors and sub-contractors will only need Level 1 CMMC accreditation this year, with DoD wanting 899 contractors Level 1-certified, 149 Level 2-certified, and 452 Level-3 certified. In Fiscal Year 2022, DoD expects to roll out 75 contracts – requiring 7,500 unique accredited prime and sub-contractors – and 250 in Fiscal Year 2023 – needing 25,000 accredited contractors.
After achieving a volume of 47,905 CMMC accreditations for years four-to-six of the rollout, DoD aims to have 43,251 accredited in year seven of the program. In total, DoD is looking to accredit 220,966 prime and sub-contractors over the first seven years of the program, according to Arrington.
Arrington said that DoD pilot programs are proceeding on schedule, and the agency expects to begin rolling out Requests for Proposals (RFPs) beginning in mid-March. CMMC accreditations will also need to be renewed every three years.