DoD shepherds CMMC through Trump deregulatory initiative
The Trump administration has a ’10 out, one in’ rule for new regulations, but DoD officials are confident they can finalize the CMMC requirements soon.
The Defense Department is still working to finalize the Cybersecurity Maturity Model Certification (CMMC) acquisition rule and clear a deregulatory push by the Trump administration.
DoD released the draft CMMC acquisition rule last August. Officials had hoped to finalize the rule and begin including CMMC requirements in contracts by the middle of this year.
But the Trump administration imposed a 60-day regulatory freeze on its first day in office. While that freeze recently lifted, President Donald Trump also issued an executive order requiring agencies to repeal at least 10 rules, regulations or guidance documents for every new rule.
Stacy Bostjanick, director of defense industrial base cybersecurity in DoD’s office of the chief information officer, said the CMMC acquisition rule is caught up in that process.
“We are working a couple of different angles,” Bostjanick told reporters on the sidelines of the Zscaler public sector summit in Washington, DC, today. “The regulatory freeze lifted, but we’re still stuck in the 10-to-one. So we have to make a justification — either come up with a justification that it’s a national security imperative, or you have to name 10 requirements. So we’re working with our [Office of General Counsel] right now.”
But Bostjanick believes the Trump administration will ultimately support the need for CMMC. The certification rule is intended to ensure defense contractors are following requirements for protecting controlled unclassified information (CUI).
“We don’t want to impose more [regulations],” she said. “But I think this administration does recognize the need for protecting of CUI. The fact that our F-35 — that we spent how many billions of dollars on — has been stolen, and the F-22 has been stolen. We probably need to make sure that we protect this data.”
Kattie Arrington, one of the architects of CMMC, has also returned to the Pentagon. She’s now serving as acting DoD chief information officer.
“Katie has always been a force for CMMC, even when she was no longer in the department,” Bostjanick said. “I don’t see Katie taking her foot off the gas pedal.”
The Pentagon finalized a separate CMMC program rule late last year. While assessments won’t be required until the acquisition rule is final, Bostjanick said some companies have already gotten assessments from CMMC Third-Party Assessment Organizations (C3PAOs).
“We’re working with the C3PAOs and the assessors to bump up and get that running,” Bostjanick said.
Meanwhile, Bostjanick said her office has also helped the undersecretary for acquisition and sustainment adjudicate comments on the draft CMMC acquisition rule. The CIO’s office and A&S are also working together on CMMC pricing, as contractors can incorporate the costs of compliance into their rates.
“We are working with the Defense Pricing Group to make sure that programs are ready for the impact,” she said. “Because they’re going to pass it on to the government, and so your programmatic costs are going to go up. And so we’re working very hard with them, so the program managers are prepared and ready and [Program Objective Memorandum] increase in their programs.”
Meanwhile, despite the regulatory hurdles, Bostjanick said she still hopes the Pentagon can finalize the acquisition rule and begin including CMMC in contracts by mid-year.
“We still have a hope and a prayer,” she said. “While there is a requirement to get rid of 10 [rules], that doesn’t mean we’ve stopped our efforts in moving that rule forward.”
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
