Katie Arrington, the special assistant to the assistant secretary of defense for acquisition for cyber, reiterated recently that Cybersecurity Maturity Model Certification (CMMC) compliance expenses will be considered an allowable cost. She remarked, “We are working through the Office of Management and Budget to ensure we have cost realism built into our estimations for our programs and acquisitions moving forward.”
Ms. Arrington also outlined the current timetable for CMMC rollout, noting that although DOD set a five-year goal for full CMMC implementation, she expects the rollout to take less time. DOD’s current estimates for certifications are roughly 1,500 contractors by the end of 2021, 7,500 by the end of 2022, and 25,000 by the end of 2023. Ms. Arrington credited the good progress to date on strong collaboration between industry and DOD and noted that similar cybersecurity initiatives (NIST special publication 800-171) also met aggressive timetables.
Ms. Arrington’s appearance coincided with the release of the CMMC Model v1.0 on January 31, 2020.