The Pentagon’s acquisition office has given its approval for the first contract solicitations with cyber certification requirements, and the rollout of the requests for proposals is expected in the summer, according to a DOD spokeswoman.
The Defense Department’s Cybersecurity Maturity Model Certification program is overseen by the Office of Undersecretary of Defense for Acquisition and Sustainment. The office is working with the services and agencies to determine how to incorporate CMMC language into contracts.
The Pentagon expects to release up to 15 pilot contract solicitations by the end of the current fiscal year.
“OUSD (A&S) has approved pilot acquisitions that will have the clause included,” the spokeswoman told Inside Cybersecurity. “Those RFPs are set to release this summer.”
The clause, Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7021, establishes contractor compliance with the CMMC program. A&S needs to approve all DOD contract solicitations with CMMC requirements until Sept. 30, 2025.
It is not clear which contracts from the services and agencies will be moving forward first.
In March, the spokeswoman told Inside Cybersecurity, “There are two programs under review: Army Program Main operating Base -- Special Purpose Processing Node and Air Force Broadband Global Area Net.”
At the time, the spokeswoman said, “We are planning up to 15 pilots in 2021, but understand that issues could push acquisitions out later than anticipated. FY21 pilots (like the F/A-18E/F Full Mod of the SBAR and Shut off Valve, and the Integrated Common Processor) have seen their projected award dates moved into FY22 for various reasons.”
The Defense Information Systems Agency released a request for information earlier this month on a broadband contract for the United States Space Force Commercial Satellite Communications Office, asking industry for details on whether they will be able to obtain a CMMC level three certification.
Some agencies and services have started to release or amend RFPs that include the 7021 clause over the past few weeks, but those solicitations have not been approved by OUSD (A&S). Solicitations reviewed by Inside Cybersecurity have not included a breakdown of the maturity levels required for primes and their subcontractors.
One of the RFPs released by DISA on Feb. 26 is to “upgrade the Raised Access Floor to meet load capacity” in three of the agency’s computer rooms. The solicitation includes two DFARS clauses currently in effect for all DOD contracts that apply to National Institute of Standards and Technology Special Publication 800-171, which are 252.204-7019 and 252.204-7020, as well as the new CMMC requirement in 7021.
The Information Technology Industry Council’s Gordon Bitko told Inside Cybersecurity the DISA “raised floor” RFP and other solicitations that have been released should be considered as “risk management” rather than official CMMC pilots approved by OUSD (A&S).
“I would put those down as risk management on the part of the contracting officials that are anticipating multi-year procurements and they are to ensure in subsequent years of the contracts that they have the ability to be CMMC compliant,” Bitko said. Bitko is ITI’s senior vice president of policy for public sector.
When asked for clarification on existing RFPs, the spokeswoman said, “Inclusion of a CMMC level requirement in a solicitation, which triggers use of 252.204-7021, must be approved by OUSD(A&S) until Sept. 25, 2025. Absence of a specified CMMC level does not mean the CMMC requirement is level one unless the solicitation or contract so specifies.”
The spokeswoman said, “Please note that even if a CMMC requirement is not included, the solicitation or contract may still contain 252.204-7012 and the associated assessment requirements set forth in 252.204-7019 and 252.204-7020, and if so, a prime or subcontractor would need to comply with those requirements as applicable.” -- Sara Friedman (firstname.lastname@example.org)