Foreign partners are considering adopting new cybersecurity standards that industry must eventually adhere to if they want to do business with the Pentagon, the Defense Department’s top weapons buyer said recently.
Cybersecurity Maturity Model Certification version 1.0, or CMMC, was released in January. The aim of the initiative is to prod the defense industrial base to better protect its networks and controlled unclassified information against cyberattacks and theft by competitors such as China. The lower tier of the supply chain is of particular concern to Pentagon officials.
The specific standards that must be met will depend on the program and work that a company will be doing. The level 1 standards will be the least demanding and level 5 the most burdensome.
Third-party assessors, known as C3PAOs, will be trained and approved by a new accreditation body. They will have to certify that a company has met the CMMC standards before it can win contracts.
The new model will be phased in over the next five years to give contractors time to adjust. By fiscal year 2026, all new Defense Department contracts will contain CMMC requirements that companies must meet to win the award.
Now, foreign nations are considering following in the Pentagon’s footsteps, Undersecretary of Defense for Acquisition and Sustainment Ellen Lord said at the annual McAleese & Associates defense programs conference in Washington, D.C.