DOD's Katie Arrington updates CMMC progress

The Defense Department is preparing to release the final version of its unified cybersecurity standard, which could come later this week.

Katie Arrington, chief information security officer for DOD acquisition policy, previewed more details of the Defense Department's timeline for implementing the final version of Cybersecurity Maturity Model Certification program at a Jan. 28 event hosted by NeoSystems and law firm Holland and Knight.

DOD expects to have at least 15 contracts to have the CMMC requirements and 1,500 certified contractors by fiscal 2021. More than half of those would be at level 1, according to presentation documents. That total number is expected to balloon to almost 48,000 by fiscal 2025.

The number of contracts with CMMC requirements will, theoretically, explode as well with 75 contracts including it by fiscal 2022, 250 contracts by 2023 and 479 contracts in 2024, according to the DOD presentation documents.

The CMMC Accrediting Body, an independent, not-for-profit group responsible for development assessment standards and training, is slated to deliver a draft of "CMMC 101" training in February.

Ty Schieber, the CMMC Accrediting Body chair, told FCW following the event that "solidification of schedule will occur once we get the relationship codified" via memorandum of understanding and "mutually agree upon what we can do and what that means in terms of hitting those guidelines."

According to the DOD documents, that memo is to be signed in February and is still listed as "to be determined."

Schieber said the CMMCAB officially formed as a business entity over the weekend and has selected a board of directors. By next week, committees will be formed.

"We formed as a business entity two days ago. We now have a board of directors. So what will follow in short order, like next week is establishing the committees that are led by board directors," Schieber said, adding that pathways exploring accreditation, certification, training, infrastructure and assessment operations would be considered in the process.

DOD is also in the initial planning stages for its CMMC databases and infrastructure and plans to launch a pathfinder effort in March with beta testing in July -- when the first requests for information are expected, Arrington showed in the presentation.

"In each iteration of the versions when we've gone out, we've done pathfinders [to look at] how long is it actually taking for someone to come in who's never seen the model actually run through an assessment," Arrington told reporters following the event. "We've been doing that the entire process, so we have a pretty good understanding of how long it takes to go forth with a certification."

Pathfinder testing for CMMC implementation, currently in the planning stage, will commence with a select group of defense industry base companies in March, according to the documents.