DOD announces first CMMC pilot contract nominees

The Defense Department has released the first contracts that could include the Cybersecurity Maturity Model Certification requirement for contractors that’s aimed to make the defense industry base’s infrastructure more secure.

The Dec. 15 announcement calls out seven pilot contracts: the Technical Advisory and Assistance contract for the Missile Defense Agency; the Azure Cloud Solution, Mobility Air Force Tactical Data Links, and Consolidated Broadband Global Area Network Follow-On contracts for the Air Force; and the Navy’s Integrated Common Processor, F/A-18E/F Full Mod of the SBAR and Shut off Valve, and yard services for the Arleigh Burke Class destroyer contracts.

The contracts are considered nominated "candidates" that will undergo a CMMC assessment. Contract winners "must achieve the required CMMC level at time of contract award, and flow down the appropriate CMMC requirement to subcontractors," the Defense Department said.

The announcement comes after the interim rule that lays the groundwork for CMMC took effect Dec. 1, requiring defense contractors to self-attest to which NIST SP 800-171 protocols they’re employing. Those companies with higher security work would also have to submit to a third-party audit.

More candidates may be announced in the coming weeks as DOD works with the Army and other defense agencies to find contracts that fit certain criteria, according to the statement.