In the lead up to the release of Cybersecurity Maturity Model Certification version 1.0, DoD representatives walked back the timing for full implementation. Contractors will all need to be certified in the coming years, but concerns about a mad scramble towards certification of the entire defense industrial base in calendar year 2020 have now been allayed. The new standards will be phased in over the next five years so that, by fiscal year 2026, all DoD contracts will include CMMC requirements.
Under CMMC, contractors and subcontractors will have their compliance with security requirements evaluated by neutral third-party evaluators, and all of them will need to meet some level of certification, not just those that handle “covered defense information.”