U.S. Department of Defense Announces Cyber Certification Plans – Here’s Why You Should Care

According to Mr. Kevin Fehey, Assistant Secretary for Defense Acquisition, Office of Undersecretary of Defense for Acquisition and Sustainment, in calendar year 2020 the Department of Defense will begin requiring all defense contractors to be certified to a Cybersecurity Maturity Model. The certification program will be identified as the CMMC.

The DoD will begin certifying cybersecurity levels for defense contractors in 2020. The program will be launched in January 2020. By September 2020, all DoD RFPs will include a cybersecurity certification level requirement in order to bid.

Ms. Katie Arrington reports to Mr. Fehey and is creating the program and leading the implementation. Her presentation is attached for your review here. Katie will be leading a series of meetings across the country this summer, and dates and times will be announced soon. The list of cities is in the aforementioned presentation. The updated DoD 5000 acquisitions document will be released in July 2019 with sections L & M significantly updated to define cybersecurity items. DoD officials pointed out emphatically that cybersecurity costs will be an “allowable cost.”

DoD officials have outlined the basics of the new cyber certification program as follows:

• The Model is currently under contract for development by the Carnegie Mellon Software Engineering Institute and the Johns Hopkins Applied Physics Laboratory.

• The Model will identify five levels of data security based on NIST SP 800-171 and other guidance.

• Contractors will need to be certified according to the five proposed levels of the Model. Contractors can implement the appropriate security based on the data they handle.

• The DoD will develop an automated tool to assist in gathering data and simplify reporting requirements.

• The certifications will be conducted by an independent, non-profit organization which will select accredited third-party auditors. This organization has not been named at this time.

• Cybersecurity expenses will become an allowable cost in DoD contracts.

Any Virginia company that is either a prime or subcontractor firm will need to attain a CMMC rating. Business leaders who plan to continue working with DoD in the future will need to comply with the existing DFARS 7012 regulation, and the NIST SP 800-171 cybersecurity specification document. Compliance will require on-going preparation and documentation, and GENEDGE has an established program to help smaller companies meet the requirements.

By Roy Luebke, Engagement Manager, GENEDGE

2 Responses to “U.S. Department of Defense Announces Cyber Certification Plans – Here’s Why You Should Care”

June 25, 2019 at 8:42 am, mark moeller said:

What is the best way to learn more about how to become certified? If attending Ms. Katie Arrington’s presentation is the way, how do we determine the date it will be given in our area?


September 04, 2019 at 8:50 am, Roy Luebke said:

Mark: There has been no definitive info out of DoD yet. DoD has stated that they will launch the CMMC in January 2020 and all new RFPs beginning in September 2020 will have a CMMC level requirement. They are stating that an independent company will be selected to authorize all auditors and the CMMC certification process. Since DFARS 7012 is in effect now, it is best to get as strong as possible in the 110 control areas of NIST SP 800-171.


Leave a Reply

Your comment will appear here once it has been approved.

Your email address will not be published. Required fields are marked *