CMMC Pilot Program Announced
The Department of Defense (“DoD”) issued an interim rule effective on November 30, 2020 which has amended the Defense Federal Acquisition Regulation Supplement (“DFARS”) to implement the Cybersecurity Maturity Model Certification (“CMMC”) framework. This interim rule includes the new DFARS clause 252.204-7021 which enables the department to verify the protection of Federal Contract Information (“FCI”) and Controlled Unclassified Information (“CUI”) within the unclassified networks of Defense Industrial Base (“DIB”) companies by way of CMMC requirements in RFPs and resulting contracts.
In addition, the interim rule includes a phased rollout of CMMC implementation in fiscal years 2021-2025. Starting in fiscal year 2021, the department will pilot the implementation of CMMC requirements for Levels 1- 3 on select new acquisitions. As a result, the DoD CISO team is currently reviewing the following pilot nominations from the military services and defense agencies*:
- Integrated Common Processor
- F/A-18E/F Full Mod of the SBAR and Shut off Valve
- DDG-51 Lead Yard Services / Follow Yard Services
U.S. Air Force
- Mobility Air Force Tactical Data Links
- Consolidated Broadband Global Area Network Follow-On
- Azure Cloud Solution
Missile Defense Agency
- Technical Advisory and Assistance Contract
For any approved pilot, all offerors will need to undergo the appropriate CMMC assessment per level noted, and awardee(s) must achieve that required CMMC level at time of contract award. The primes will then need to flow down the appropriate CMMC requirement to their subcontractors. Additional updates to this pilot program may be forthcoming.
For more information and to stay current on CMMC, email us.
*awards are anticipated in late 2021.
- Part I: Current State of CMMC
- Part II: CMMC and the DFARS Clause Podcast Series
- Part III: What to Expect in an Upcoming CMMC C3PAO Assessment & How to Prepare