Jan. 31 (UPI) — The Department of Defense announced Friday that by the end of September it will require at least some contractors bidding on defense contracts to certify that they meet “at least a basic level of cybersecurity standards” in their proposals.
A Pentagon press release issued Friday said the DoD had released its new Cybersecurity Maturity Model Certification and will begin adding the requirements to requests for information and requests for proposals incrementally throughout this year.
By fiscal year 2026, all new contracts will contain CMCC requirements, undersecretary of defense for acquisition and sustainment Ellen M. Lord said at a Pentagon news conference.
“Adversaries know that in today’s great-power competition environment, information and technology are both key cornerstones,” Lord said. “Attacking a sub-tier supplier is far more appealing than a prime [supplier].”
The new CMMC includes five levels of certification in cybersecurity practices and processes, starting with what Katie Arrington, the DoD’s chief information security officer for acquisition described as “the basic cyber hygiene skills we should be doing every day”: antivirus software, updated passwords.
The department will not certify potential defense contractors for CMMC on its own, Lord said, but instead “third-party assessment organizations” — paid by contractors, not the DoD — will conduct those assessments.
Subcontractors will not necessarily need to have the same level of CMMC certification to win a contract, Arrington said.
In 2018 the Department of Justice indicted two hackers associated with the Chinese government on charges they attempted to steal sensitive information from U.S. companies that manufacture jet engines, and in 2009 the Wall Street Journal reported that hackers had stolen information on the Joint Strike Fighter Project.