Trump’s Pentagon acquisition chief nominee vows to review controversial CMMC program

Michael Duffey, President Donald Trump’s nominee to be the next undersecretary of defense for acquisition and sustainment, told lawmakers that he will review the Pentagon’s controversial Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) initiative if he’s confirmed.

The final rule for the revamped CMMC 2.0 program went into effect in December, which means that defense contractors working with controlled unclassified information (CUI) or federal contract information (FCI) must meet one of three levels of CMMC compliance, depending on the sensitivity of the information they handle, to be eligible to win DOD contracts. After years of high-profile scoping and rulemaking efforts, the Pentagon plans to implement the new requirements by the middle of this year.

Contractors and defense industry observers have previously expressed concerns about the burdens that CMMC regulations would impose, particularly for smaller firms that have fewer resources to ensure compliance.

An industry report by Redspin published earlier this year found that over half of respondents did not feel prepared for CMMC’s requirements.

Another report published this week by Kiteworks and co-sponsored by Coalfire found shortfalls in gap analysis and advanced controls. Budgetary and resource constraints, technical complexity of implementing controls, scope complexity and definition challenges, and understanding requirements and documentation were cited as some of the biggest challenges related to CMMC.

“It is my understanding that the cyber capabilities of the companies in the DIB vary greatly. If confirmed, I look forward to reviewing the current state of DoD cybersecurity requirements for our industry partners and working to ensure we balance a need for security with the burdens of excessive regulation,” Duffey wrote in his responses to advance policy questions from lawmakers ahead of his confirmation hearing Thursday with the Senate Armed Services Committee.

He noted that cyberattacks on defense industrial base information systems threaten the Pentagon’s mission execution and warfighting capabilities, and put at risk U.S. technological superiority, intellectual property and national security information.

“Bolstering cybersecurity across the DIB without placing undue burdens on small and medium-sized businesses is critical. These businesses are often more vulnerable to cyberattacks due to resource constraints, yet they play a vital role in our nation’s defense,” Duffey wrote. “I recognize the critical importance of ensuring that contractual requirements for protecting DoD information are met by defense contractors. If confirmed, I will review the current requirements of the CMMC program and evaluate options to improve the requirements and implementation so that industry can affordably maintain pace with current cybersecurity best practices.”

Additionally, he told lawmakers that he would review current and potential mechanisms to assess CMMC compliance — including third-party assessment organizations — and accreditation procedures “to ensure our requirements keep pace with the threat and manage the burden on the industrial base.”

Duffey also noted that access to secure compartmented information facilities (SCIFs) can be costly for smaller companies. If confirmed, he said he will “actively explore” the feasibility of multi-use SCIFs and other shared resource models to reduce that burden for small firms and facilitate their access to classified information.

The CMMC program previously fell under the responsibility of the undersecretary of defense for acquisition and sustainment, but was transferred to the DOD Office of the Chief Information Officer in 2022. Katie Arrington, who was viewed as a key architect of the original iteration of CMMC within A&S during the first Trump administration, recently returned to the Pentagon and was quickly appointed as the acting CIO.

Duffey also has prior government experience, including at the Pentagon. He served as associate director of national security programs in the Office of Management and Budget during the first Trump administration. He’s also served as deputy chief of staff to the secretary of defense and chief of staff to the undersecretary of defense for research and engineering, among other roles.