DoD’s Interim Rule indicates that CMMC will be incorporated into contracts on a phased basis, with only 15 contracts expected to include CMMC requirements for FY 2021. On December 15, 2020 they announced that an initial round of candidate solicitations, 7 in total, have been nominated by the Navy, Air Force, and Missile Defense Agency. Those solicitations are:
- U.S. Navy
- Integrated Common Processor
- F/A-18E/F Full Mod of the SBAR and Shut off Valve
- DDG-51 Lead Yard Services / Follow Yard Services
- U.S. Air Force
- Mobility Air Force Tactical Data Links
- Consolidated Broadband Global Area Network Follow-On
- Azure Cloud Solution
- Missile Defense Agency
- Technical Advisory and Assistance Contract
The solicitations are being reviewed, and must still be approved, by the Office of the Undersecretary of Defense for Acquisition and Sustainment (OUSD(A&S)). Once approved, all offerors must undergo the appropriate CMMC certification, and the appropriate requirements must also be flowed down to any subcontractors.
The OUSD(A&S) CISO team is working with the Army and other defense agencies to identify additional candidate solicitations. Those will be announced later.
More details are available in the announcement below:
https://www.defense.gov/Newsroom/Releases/Release/Article/2447770/cybersecurity-maturity-model-certification-pilots-for-fiscal-year-2021/