The Cybersecurity Maturity Model Certification will be required for some contracts later this year, and will become standard by 2026, but companies are looking to adopt these rules as soon as possible. Frank Kendall, former Under Secretary of Defense for Acquisition, Technology & Logistics, says that the rollout could result in many different outcomes.
“One way this could go is it could become a relatively meaningless assessment in which pretty much everybody gets to some basic level and then they are all allowed to bid on contracts which would mean they won’t have done what they’re trying to do,” Kendall said. “The other extreme is that it becomes a very serious barrier to entry and it is very hard for people to bid on contracts. And then there will be a huge cry from industry about how they are prevented from bidding on contracts. The cost of those two extremes is very different.”