DoD Removes CMMC Requirement for COTS Suppliers; Katie Arrington Quoted

Katie Arrington
Katie Arrington

The Department of Defense (DoD) has revised the Cybersecurity Maturity Model Certification (CMMC) program to remove the certification requirement for suppliers of commercial-off-the-shelf products, FedScoop reported Tuesday.

The CMMC website previously stated that all DoD contractors must achieve certification regardless of whether they process controlled unclassified information or not.

Katie Arrington, chief information security officer for defense acquisition and sustainment and 2020 Wash100 Award winner, told the publication in an email that the revision serves as “a clarification based on the existing rule.”

Arrington’s comments come after the DoD selected the National Institute of Standards and Technology to develop requirements for independent assessors responsible for vetting contractors.

The DoD intends to require contractors to meet five levels of cybersecurity maturity as part of the CMMC program. Plans are in place to integrate the framework into all defense contracts by 2026.

According to FedScoop’s report, the recent revision took place between March 19 and April 11.

Check Also


FireEye to Provide Cybersecurity Defenses to Texas DIR; Pat Sheridan Quoted

FireEye, Inc. has announced that it will offer cyber security defenses to Texas public sector agencies, under Texas Department of Information Resources (DIR), the company reported on Thursday. Through the end of 2020, FireEye security products and Mandiant Solutions services will be available to all Texas agencies, county governments, cities and school districts through DIR’s Bulk Purchase Initiative for Endpoint Detection and Response (EDR) solutions.