DoD Acquisition Nominee Reviews CMMC Requirements
The nominee for the Pentagon's top acquisition job says he'll review the Cybersecurity Maturity Model Certification (CMMC) program as the Defense Department works to finalize sweeping CMMC requirements.
Nomination Hearing Ahead of Schedule
Michael Duffey, President Donald Trump's nominee to be under secretary of defense for acquisition and sustainment, was asked about CMMC in advance policy questions submitted ahead of his March 27 nomination hearing before the Senate Armed Services Committee.
Duffey wrote that he recognizes the critical importance of ensuring that contractual requirements for protecting DoD information are met by defense contractors. If confirmed, he will review the current requirements of the CMMC program and evaluate options to improve the requirements and implementation so that industry can affordably maintain pace with current cybersecurity best practices.
Reviewing Third-Party Assessment Organizations
Duffey also said he would review the role of CMMC third-party assessment organizations (3PAOs) as well as the Cyber Advisory Board that accredits 3PAOs. Those organizations will be crucial as thousands of defense contractors seek third-party assessments of their network security practices.
Implementation Timeline Unclear
The Pentagon's acquisition directorate, which Duffey would oversee, is working to finalize proposed CMMC contracting rules. Once DoD publishes the final rule, it can begin including the CMMC requirements in contracts.
However, in addition to Duffey's proposed review, DoD officials are also navigating CMMC through Trump's deregulatory push. The administration is requiring agencies to repeal 10 regulations, rules or guidance documents for every new one.
CMMC Program Background
The CMMC program is intended to ensure defense contractors are meeting standards for protecting sensitive information on their networks. DoD officials say the defense industrial base is frequently targeted — and breached — by foreign hackers seeking data about U.S. technologies.
Industry Concerns Remain
In response to another advance policy question, Duffey pointed to the challenge of balancing "the pace at which DoD and industry need to react to evolving threats with the implementation timelines industry needs to comply as adversaries continue to evolve their tactics, techniques, and procedures (TTP)."
Duffey also noted that the cyber capabilities of companies in the defense industrial base vary greatly. If confirmed, he looks forward to reviewing the current state of DoD cybersecurity requirements for industry partners and working to ensure a balance between security needs and the burdens of excessive regulation.
History of CMMC Development
The Pentagon has been working on the CMMC requirements for more than six years. In 2021, Pentagon officials initiated a major review of CMMC, resulting in changes that lessened some cybersecurity and assessment requirements under what became known as "CMMC 2.0." The changes also delayed the requirements by several years.
Industry Advocates Remain Skeptical
Some industry advocates argue that CMMC compliance will still be too costly for small businesses. DoD officials say CMMC merely enforces existing contractual cybersecurity standards and that industry has had plenty of time to prepare for the rules.
Navigating Compliance Burdens
Duffey was also asked about balancing cybersecurity with compliance burdens on small and medium-sized businesses. He pointed out how those businesses often lack access to Sensitive Compartmented Information Facilities (SCIFs), where classified cyber threat data can be shared.
Addressing SCIF Accessibility
Duffey said that these businesses are often more vulnerable to cyberattacks due to resource constraints, yet they play a vital role in our nation's defense. Access to secure facilities like SCIFs is often cost-prohibitive for smaller companies. If confirmed, he will actively explore the feasibility of multi-use SCIFs and other shared resource models to alleviate this burden and ensure equitable access to classified information.