Katie Arrington, chief information security officer for the Department of Defense’s acquisition and sustainment office and a 2020 Wash100 award winner, said the initial version of Cybersecurity Maturity Model Certification requirements could be included in solicitations by November, National Defense Magazine reported Monday.
“We understand this is a big cultural shift and we want to ensure that we’re doing everything we can to bring our small business partners right along with us,” she said Monday at the virtual Special Operations Forces Industry Conference.
Arrington said DoD is on schedule to release the CMMC requirements this year and plans to issue in June about 10 requests for information that integrate the new CMMC rules.
“As we release the RFIs, we'll have the certified and trained auditors who will be able to go out to industry and certify companies at the level of maturity required for the work that they’re bidding on,” she added.
She noted that changes to the Defense Federal Acquisition Regulation Supplement 252.204-7012 are being carried out and could be finalized in October. “You will not see the CMMC in any Department of Defense contracts or RFPs until the rule change is completed,” Arrington said.