The Defense Department is making changes to its schedule for rolling out the first requests for proposals to contain requirements for contractors under the new Cybersecurity Maturity Model Certification program, citing timing issues.
The Pentagon had planned to begin releasing RFPs in March under a CMMC pilot program, and explained to Inside Cybersecurity last month that initial projects from the Army’s Women, Infant and Children Overseas Program and a component of the Navy’s F/A-18E/F aircraft were up first.
“Unfortunately due to scheduling issues, the WIC program has been removed from the pilot participation. The schedule for F-18 activity has shifted and will not be released until late summer,” a DOD spokeswoman told Inside Cybersecurity in a statement.
The Pentagon by Wednesday evening had yet to respond to requests for comment on a revised plan.
DOD released the names of the first round of CMMC pilots on Dec. 15, but the list has evolved over time as a result of scheduling conflicts between the services releasing the contracts and expectations from Office of the Under Secretary of Defense for Acquisition and Sustainment (A&S), which is overseeing the CMMC rollout. While the list identifies programs, it does not provide details on specific contracts.
The Army put out a “Women, Infants and Children (WIC) Overseas Program Support Services” RFP on March 11. It is unclear whether that solicitation was planned for the CMMC rollout.
In a February interview with Inside Cybersecurity, DOD’s Stacy Bostjanick said, “We are in the process of vetting the WIC program to make sure that it needs to be CMMC level three or CMMC level one. It will surely handle personally identifiable information which might be what pops it up to level three.”
Bostjanick was promoted in 2021 to acting director for supply chain risk management within A&S and previously led CMMC program office.
The F/A-18 contract is for a “sole source contract” that will go to Boeing, Bostjanick said in February. At that time, the Pentagon’s CMM program office was “working with the program office for the F/A-18 come up with the correct RFP language and then we will sit down with their data to help them map out controlled unclassified information they have through the supply chain to make sure it is properly flowed down to the lower tiers.”
The Pentagon is planning to release up to 15 contracts with CMMC language in fiscal 2021, but schedules are not necessarily aligning as expected for the CMMC program office.
Companies competing for CMMC contracts do not need to obtain a certification at the level desired in each solicitation until time of award, which has caused some confusion.
“The biggest change for me personally is when I write a contract now, when I write a performance work statement, I will be required to determine the CMMC levels of the tasks that are in that contract,” JenniLynn Bushby, contracting officer at the Defense Information Systems Agency, said at an AFCEA conference in December shortly after the rule kicking off the CMMC rollout went into effect.
“In my job, we spend weeks, months, or sometimes years working on a contract depending on its size and how complicated it is,” Bushby said. There could be complications if the vendor selected doesn’t “get their audit results back in time or there is a waiting list for getting an audit… or they achieve a lower certification level than expected” when the contract is ready to be awarded.
“If we didn’t make that a prequalification to bid it kind of puts the government at risk schedule-wise” when vendors run into issues achieving the required CMMC level, Bushby said. However, she said the planned five-year rollout for CMMC should not have “a huge impact on acquisition timelines” if defense contractors who want to compete can get certified by DOD’s Oct. 1, 2025 deadline for all contracts.
The Defense Contract Management Agency is tasked with doing CMMC level three assessments for certified third party assessment organizations who will be conducting the official audits. The first C3PAO audit conducted by DCMA’s Defense Industrial Base Cybersecurity Assessment Center started on March 10.
“The assessments are being conducted by the DIBCAC CMMC trained assessment team and we will not have information on the assessment until the reports are finalized,” the DOD spokeswoman said.
The spokeswoman said, “While we can’t provide specifics at this time, when the first C3PAO passes their assessment and have completed all necessary actions, that will be listed on the CMMC-AB website.”
There are currently 97 C3PAOs that are conditionally approved to conduct CMMC assessments listed on the CMMC Accreditation Body marketplace, pending their own DIBCAC audits for level three.
CMMC-AB vice chairman Jeff Dalton told Inside Cybersecurity, “The CMMC-AB is updating the Marketplace to identify them as ‘Candidates’ until they complete their CMMC ML3 assessment successfully. Then they will be called ‘Authorized.’ Several C3PAO candidates are in the process of starting their assessments. C3PAOs cannot conduct and submit an assessment until the CMMC ML3 Assessment is completed.”
A DCMA spokesman declined to comment on the status of the first assessment and scheduling for future C3PAO audits. -- Sara Friedman (firstname.lastname@example.org)