DOD exploring requirements for managed service providers under CMMC

The Pentagon's officials overseeing the development of CMMC are planning to meet soon to address potential requirements for managed service providers under the program.
Department of Defense, DOD, Pentagon
(DOD / Lisa Ferdinando)

The Department of Defense has created a new framework of cybersecurity requirements and certifications contractors must achieve under the Cybersecurity Maturity Model Certification (CMMC). But what about the DOD contractors that mostly outsource their IT and cybersecurity to managed service providers?

The Pentagon’s CMMC leadership, now housed in its Office of the CIO, is planning to meet soon to address potential requirements for managed service providers under the CMMC framework that could ease the burden for those contractors that do very little of their own IT.

“What we are looking for are ways to ease the burden on the [defense industrial base],” Stacy Bostjanick, chief of implementation and policy in the Office of the CIO, said Wednesday during a town hall event with NeoSystems. “And so cybersecurity-as-a-service is a logical place that we’re moving to,” she said, adding that the office is considering pilots to explore those kinds of arrangements.

Bostjanick said more and more defense contractors have moved to a managed service provider for IT, and that means “we’re going to have to make sure that we have a model and requirements that fit that paradigm to ensure that those providers are secure as well as the companies using them.”


In the next few weeks, she will meet with DOD Chief Information Security Officer David McKeown and others “where we’re proposing what kind of requirements we would ask managed service providers, cybersecurity-as-a-service people who use cloud capabilities … so companies can be secure in using them, so that they meet the requirements.”

The hope is the Pentagon will be able to finalize those to include in the updated interim rule under what’s being referred to as CMMC 2.0 — a more eased set of requirements for defense contractors introduced late last year. Bostjanick is eyeing March 2023 for the release of that rule, and then DOD would begin implementing CMMC in some contracts that May.

Once McKeown gives his approval to any different rules for managed service providers, the department will begin sharing those with industry for feedback.

As DOD looks ahead to issuing a CMMC rule next year, things continue to evolve for the program. For instance, last month Bostjanick detailed how the department is thinking now about the different types of controlled unclassified information that contractors handle, like prioritized and non-prioritized CUI.

Under CMMC 2.0, contractors that handle CUI will have to be certified in meeting one of three tiers of requirements.


But even the DOD has shown that meeting those requirements can be difficult. According to the Government Accountability Office, though the DOD is not legally required to meet CMMC standards itself, its components have only met 78% of the 110 requirements for systems that manage advanced levels of CUI.

Billy Mitchell

Written by Billy Mitchell

Billy Mitchell is Senior Vice President and Executive Editor of Scoop News Group's editorial brands. He oversees operations, strategy and growth of SNG's award-winning tech publications, FedScoop, StateScoop, CyberScoop, EdScoop and DefenseScoop. Prior to joining Scoop News Group in early 2014, Billy embedded himself in Washington, DC's tech startup scene for a year as a tech reporter at InTheCapital, now known as DC Inno. After earning his degree at Virginia Tech and winning the school's Excellence in Print Journalism award, Billy received his master's degree from New York University in magazine writing while interning at publications like Rolling Stone.

Latest Podcasts