The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) is still in the process of working with DoD stakeholders and industry to finalize the development of the Cybersecurity Maturity Model Certification (CMMC). A stated on the OUSD(A&S) website: “The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.” On March 13, 2020, Under Secretary of Defense Ellen Lord issued a statement on misleading cybersecurity certification information. She stated, “some third-party entities have made public representations of being able to provide CMMC certifications to enable contracting with DoD.” This is not a factual statement as “[t]he requirements for becoming a CMMC third-party assessment organization (C3PAO) have not yet been finalized.”
Per DFARS 252.204-7012, Contractors were to implement NIST SP 800-171 by 12/31/2017 “Safeguarding Cover Defense Information and Incident Reporting”. However, Contractors self-certification has not gone as well as the Department of Defense (DoD) had hoped. They have even included it as part of 2019 Contractor Purchasing System Reviews (CPSR) for the Defense Contract Management Agency (DCMA) to evaluate Contractors monitoring of subcontractor’s self-certification. In the meantime, DoD has shifted gears and is developing the Cybersecurity Maturity Model Certification (CMMC) to help strengthen the DoD supply chain's cybersecurity at all levels of the supply chain, from the prime Contractor on down to the lowest subcontractor.