While the Department of Defense (DoD) is still adjudicating comments on its latest Cybersecurity Maturity Model Certification (CMMC) guidelines, Katie Arrington, CISO for the department of Acquisition at DoD, said the department would be ready to release its first Request for Proposal (RFP) by mid-March.
Arrington said the agency should be done responding to public comments sometime in February, and after the Air Force releases its first RFP in mid-March, that RFPs should be released every two weeks after, Arrington said in a Jan. 26 CompTIA interview.
“This is not the end, this was getting critical thinking about cybersecurity out to the masses,” Arrington said during the broadcast interview. “We have the crawl, walk, run with the three new default rules … but this isn’t just that, this is the start of something much bigger. And we’re all in it together.”
The DoD completed the Pathfinder portion of the CMMC rollout in 2020, Arrington said and is moving forward with 10 pilot programs to roll out CMMC certifications for. The department also has eight more programs ready in the queue but wanted to wait for sign off by the new administration as a sign of respect.
Arrington and her department have worked closely with the CMMC-Accreditation Body (CMMC-AB), a nonprofit which is training CMMC assessors to analyze and give CMMC accreditations to businesses who are seeking government contracts, over the past year. The CMMC-AB has over 130 trained assessors currently, Arrington said, but she is hoping to have enough assessors to go over both the prime and sub-contractors by the time DoD starts rolling out RFPs.