With CMMC rolling out, this list of seven programs could touch 700 companies
The Defense Department has released seven contracts that it expects to be the first to include CMMC Level 3 requirements before they can be awarded.
The Defense Department has now released an initial group of contracts that will require the third-level certification out of five under the Defense Department's new CMMC cyber standards for contractors.
The Cybersecurity Maturity Model Certification is DOD’s effort to get contractors to verify how they protect government information that resides in their systems. CMMC will apply to tens of thousands of contractors, so DOD is implementing a phased-in approach.
We have seen CMMC pop up in other contracts as it has already been included as a requirement in the General Services Administration's Polaris and 8(a) STARS III small business vehicles.
For fiscal year 2021, DOD has said it wanted to implement CMMC on 15 contracts. On Wednesday, the department released a list of seven contracts that it said it was reviewing as “pilot nominations.”
The initial list of seven contracts are:
Navy
- Integrated Common Processor
- F/A -18E/F Full Mod of the SBAR and Shut off Valve
- DDG-51 Lead Yard Services/Follow Yard Services
Air Force
- Mobility Air Force Tactical Data Links
- Consolidated Broadband Global Area Network Follow-on
- Azure Cloud Solution
Missile Defense Agency
- Technical Advisory and Assistance Contract
Companies that win those contracts will have to be certified to level three of CMMC at the time an award is made.
Work is ongoing with the Army and defense agencies to identify their CMMC pilots.
It appears all contracts on that list are existing vehicles and not brand new work. But I’ve been struggling to match incumbents with the contracts because of multiple contracts with similar sounding names.
But some of the contractors that are coming up in my searches include General Dynamics, Lockheed Martin, Microsoft, Northrop Grumman and Parsons Corp.
It should be surprising that these contractors coming up with this first batch of CMMC requirements. DOD’s strategy, particularly here in the beginning has been to start with the large primes and then have the CMMC requirements flow down to subcontractors.
DOD has estimated each of these large programs could have have 100 companies involved that will need CMMC certification, of at least level one.
So for these seven on the list, we are talking about roughly 700 companies that will need to go through a third-party audit of cybersecurity compliance before these contracts are awarded in fiscal 2021.