The Department of Defense Cybersecurity Maturity Model Certification (CMMC) was released today (Version 1.0), and is available on DoD’s OSD website here.

This is a cyber security standard, with 5 maturity levels, created in partnership between the SEI Institute and the DoD.

The DoD has announced that future RFIs and RFPs, will require that prime contractors and subcontractors/vendors, will need to be externally appraised (audited and certified) at a certain CMMC level to be able to bid on DoD contracts.

They are planning on ‘tagging’ a handful of RFIs in the June 2020 timeframe and a handful of RFPs in the Fall 2020 timeframe with the CMMC requirement, and then phasing in the requirement across DoD contracts over the next 5 years.  DoD has said that no existing contracts will get CMMC added to it — instead DoD will add CMMC to contracts as they come up for re-compete.

This morning, Ellen M. Lord, undersecretary of defense for acquisition and sustainment; Kevin Fahey, assistant secretary of defense for acquisition; and Katie Arrington, special assistant to the assistant secretary of defense for acquisition for cyber, conduct a news conference on cyber security standards for government acquisition at the Pentagon.  The video is available online here.  The 3 slides presented are shown below.