DoD Removes CMMC Requirement for COTS Suppliers; Katie Arrington Quoted

1 min read
Katie Arrington
Katie Arrington
Katie Arrington
Katie Arrington

The Department of Defense (DoD) has revised the Cybersecurity Maturity Model Certification (CMMC) program to remove the certification requirement for suppliers of commercial-off-the-shelf products, FedScoop reported Tuesday.

The CMMC website previously stated that all DoD contractors must achieve certification regardless of whether they process controlled unclassified information or not.

Katie Arrington, chief information security officer for defense acquisition and sustainment and 2020 Wash100 Award winner, told the publication in an email that the revision serves as “a clarification based on the existing rule.”

Arrington’s comments come after the DoD selected the National Institute of Standards and Technology to develop requirements for independent assessors responsible for vetting contractors.

The DoD intends to require contractors to meet five levels of cybersecurity maturity as part of the CMMC program. Plans are in place to integrate the framework into all defense contracts by 2026.

According to FedScoop’s report, the recent revision took place between March 19 and April 11.

ExecutiveGov Logo

Sign Up Now! Executive Gov provides you with Free Daily Updates and News Briefings about DoD

The Ultimate Guide to Winning Government Contracts Let us show you how top executives are winning so you can replicate it