CMMC requirement changes

DOD Considering Additional Requirements for CMMC Assessments

The Department of Defense wants to expand requirements for Cybersecurity Maturity Model Certification assessments, which, according to sources familiar with the matter, could drive up costs for some companies in the defense industrial base.

Under the proposed changes, certified third party assessor organizations would have to hire four full-time provisional assessors for Level 3 CMMC evaluations instead of the original plan that calls for a combination of one assessor and three registered practitioners.

The DOD is also considering requiring C3PAOs to have quality control employees and new standards for the assessors, FedScoop reported.

Justin Padilla, CMMC lead at Kratos, one of the first accredited C3PAOs, said the proposed changes could create a limited resource issue, with fewer people being eligible to conduct level three assessments.

According to the sources, the publication of the final CMMC requirements is still on hold because the DOD continues to add to them.

Besides adding significant costs, the sources are concerned that the propositions could affect the timely implementation of the program.

As per the timeline set by the DOD, CMMC implementation will follow a phased rollout approach from fiscal years 2021 through 2025. In the first year of rollout, the department intends to have no more than 15 prime contracts incorporated with CMMC requirements. That number will increase gradually in the following years, with the goal of having all DOD contracts complying with the new cybersecurity standards in 2026.