CMMC gets a new home in the Pentagon

The Defense Department's fledgling cybersecurity standard for contractors is getting new ownership. 

Kathleen Hicks, the deputy defense secretary, has ordered that the DOD chief information officer take responsibility for the Cybersecurity Maturity Model Certification program from the undersecretary of defense for acquisition and sustainment, according to a Feb. 3 announcement. The move also realigns six personnel who administer the program led by Stacy Bostjanick, the director of CMMC policy. 

"As we realign responsibility for the program, it's important to note that we will continue to work closely with A&S on this program," John Sherman, DOD's CIO, said in a statement announcing the decision. 

Sherman added that, under the CIO office, the program's realignment will increase its "integration with other Defense Industrial Base Cybersecurity programs. We are moving out in the coming weeks on the rulemaking process and look forward to continuing critical collaboration with industry stakeholders."

Sherman added that the CIO will submit proposed changes to CMMC via the Defense Federal Acquisition Regulation Supplement rule-making process. An interim rule went into effect in September 2020.

The announcement comes months after Sherman testified in October during his Senate confirmation hearing that he was going to tweak the program to resemble a cybersecurity-as-a-service model and easier for small businesses to adopt. 

Hicks ordered an internal review of the program in March 2021 and the Defense Department announced a reconfiguration of the program, CMMC 2.0 in November, which reduced some of the certification level and introduced self-attestation for some contractors. 

The model, which has received criticism regarding cost to businesses and a lack of flexibility since its release in 2019, has been eyed by other federal agencies, including the Department of Homeland Security and General Services Administration, looking to create a set of cyber standards for contractors.