Pentagon navigates regulatory challenges to advance CMMC

The Pentagon continues to finalize the Cybersecurity Maturity Model Certification (CMMC) acquisition rule, despite regulatory challenges under the Trump administration. CMMC is a cybersecurity initiative designed to safeguard sensitive controlled unclassified information (CUI) within the defense industrial base by certifying defense contractors' cybersecurity practices.

Initially expected to take effect by mid-2025, the CMMC rule faced delays due to a sixty-day regulatory freeze imposed at the beginning of President Trump's current term. Additional complexity arises from an executive order mandating the repeal of ten existing regulations for every new rule enacted, as reported by Federal News Network.

Stacy Bostjanick, the Pentagon's director of defense industrial base cybersecurity, indicated that the rule's progress hinges on demonstrating a national security imperative or identifying ten rules to repeal. "We’re working with our Office of General Counsel right now," Bostjanick explained, expressing optimism about eventual White House support due to the critical nature of cybersecurity protections. Citing thefts of expensive assets within programs such as the F-35 and F-22 fighter, she emphasized the administration’s recognition of cybersecurity's importance.

Despite these challenges, the Pentagon continues collaborating with third-party assessors (C3PAOs) and adjusting program budgets to account for compliance costs. Kattie Arrington, a key architect of CMMC who recently returned as acting DOD Chief Information Officer, remains committed to accelerating the implementation of this critical cybersecurity measure. The Pentagon aims to finalize and incorporate the CMMC requirements into federal contracts within the coming months.