Ahead of the release of the next draft version of the Cybersecurity Maturity Model Certification, Katie Arrington, the special assistant to the assistant secretary of defense for acquisition for cyber, thanked industry for its support and noted that expenses related to boosting the cybersecurity of contractor systems will be considered an allowable cost.
While DoD has set out a five-year plan for fully implementing the CMMC, Arrington expects the full rollout will take less time, as industry is on-board with the program. According to Arrington, DoD expects third-party assessors to certify about 1,500 vendors in 2021, 7,500 more in 2022 and 25,000 more by 2023.
Speaking at an event sponsored by Holland & Knight, Arrington also acknowledged the cost of the initiative. “We also are telling you security is an allowable cost now,” she remarked. “We are working through the Office of Management and Budget to ensure we have cost realism built into our estimations for our programs and acquisitions moving forward.” Proposed DFARS rules incorporating CMMC into DoD’s regulations are expected by spring and should be finalized by September.