Department of Defense CMMC Update

American Flag

We attended a presentation in early August by Katie Arrington, who is spearheading the Department of Defense’s (“DoD”) efforts to increase the role cybersecurity plays in acquisitions. At that time, Ms. Arrington mentioned that Version 0.4 of the DoD’s Cybersecurity Maturity Model Certification (“CMMC”) would be released on August 30, just before the long Labor Day weekend. The DoD’s Office of the Under Secretary of Defense for Acquisition & Sustainment announced late last week that “Due to the impending holiday [the office] will release the Draft CMMC 0.4 once it clears review by DoD Public Affairs”. This is disappointing for the hundreds of thousands of Defense Industrial Base (“DIB”) contractors who are waiting for additional clarity from the DoD before kick-starting their maturity assessment and improvement processes. DoD is currently targeting a January, 2020 release date for CMMC Version 1.0, with June and September roll-outs for mandatory inclusion of the CMMC in all RFIs and acquisitions, respectively. We recommend that all contractors perform a pre-assessment now so that they have as much lead time as possible to make any necessary changes or improvements.