CMMC review, multiuse SCIFs on radar of DoD acquisition nominee

Michael Duffey, the nominee to be USD for acquisition and sustainment, told lawmakers he’s sensitive to CMMC compliance challenges for small businesses.

Justin Doubleday@jdoubledayWFED

April 1, 2025 5:54 pm

3 min read

The nominee for the Pentagon’s top acquisition job says he’ll review the Cybersecurity Maturity Model Certification program, as the Defense Department works to finalize the sweeping CMMC requirements.

Michael Duffey, President Donald Trump’s nominee to be under secretary of defense for acquisition and sustainment, was asked about CMMC in advance policy questions submitted ahead of his March 27 nomination hearing before the Senate Armed Services Committee.

“I recognize the critical importance of ensuring that contractual requirements for protecting DoD information are met by defense contractors,” Duffey wrote in response. “If confirmed, I will review the current requirements of the CMMC program and evaluate options to improve the requirements and implementation so that industry can affordably maintain pace with current cybersecurity best practices.”

Duffey also said he would review the role of CMMC third-party assessment organizations, 3PAOs, as well as the Cyber Advisory Board that accredits 3PAOs. Those organizations will be crucial as thousands of defense contractors seek third-party assessments of their network security practices.

The Pentagon’s acquisition directorate, which Duffey would oversee, is working to finalize proposed CMMC contracting rules. Once DoD publishes the final rule, it can begin including the CMMC requirements in contracts.

But in addition to Duffey’s proposed review, DoD officials are also navigating CMMC through Trump’s deregulatory push. The administration is requiring agencies to repeal 10 regulations, rules or guidance documents for every new one.

DoD officials overseeing CMMC had hoped to implement the requirements starting this year.

The CMMC program is intended to ensure defense contractors are meeting standards for protecting sensitive information on their networks. DoD officials say the defense industrial base is frequently targeted — and breached — by foreign hackers seeking data about U.S. technologies.

In response to another APQ, Duffey pointed to the challenge of balancing “the pace at which DoD and industry need to react to evolving threats with the implementation timelines industry needs to comply as adversaries continue to evolve their tactics, techniques, and procedures (TTP).”

“It is my understanding that the cyber capabilities of the companies in the DIB vary greatly,” Duffey wrote. “If confirmed, I look forward to reviewing the current state of DoD cybersecurity requirements for our industry partners and working to ensure we balance a need for security with the burdens of excessive regulation.”

The Pentagon has been working on the CMMC requirements for more than six years. In 2021, Pentagon officials initiated a major review of CMMC. The resulting changes lessened some of the cybersecurity and assessment requirements under what became known as “CMMC 2.0.” It also delayed the requirements by several years.

Some industry advocates argue that CMMC compliance will still be too costly for small businesses. DoD officials say CMMC merely enforces existing contractual cybersecurity standards and that industry has had plenty of time to prepare for the rules.

Duffey was also asked about balancing cybersecurity with compliance burdens on small and medium-sized businesses. He pointed to how those businesses often lack access to Sensitive Compartmented Information Facilities, where classified cyber threat data can be shared.

“These businesses are often more vulnerable to cyberattacks due to resource constraints, yet they play a vital role in our nation’s defense,” Duffey said. “Access to secure facilities, such as SCIFs, is often cost-prohibitive for smaller companies. If confirmed, I will actively explore the feasibility of multi-use SCIFs and other shared resource models to alleviate this burden and ensure equitable access to classified information.”