CMMC Oversight Shifts to DoD CIO

On February 2, the Deputy Secretary of Defense issued a Memorandum disestablishing the position of Chief Information Security Officer in the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD A&S) and assigning responsibility for the Cybersecurity Maturity Model Certification program to the Chief Information Officer of the Department of Defense (DoD CIO).

Status of the FAR and DFARS

The list of open cases under the Federal Acquisition Regulation (FAR), published on February 18, 2022, includes 2021-019 (Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems) and 2021-017 (Cyber Threat and Incident Reporting and Information Sharing).  Both rules aim to enforce requirements in accordance with Executive Order 14028, Improving the Nation’s Cybersecurity, with reports on the rulemaking status due on March 9, 2022.  Additionally, attempts to resolve issues relating to portions of the Controlled Unclassified Information (CUI) Program continue under Case Number 2017-016.

Under Defense Federal Acquisition Regulation Supplement (DFARS) Case 2019-D041 (Assessing Contractor Implementation of Cybersecurity Requirements), DFARS 252.204-7021 (Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement) was added, with an effective date of October 1, 2025.  Until that time, the DoD must approve CMMC clauses in new acquisitions.  Case 2019-D041 is still open, with a report on public comments and a proposed final rule due to the Defense Acquisition Regulatory Council (DARC) on March 2, 2022. 

Although the latest estimate on finalization of DFARS 252.204-7021 is 24-36 months from now, the DoD encourages organizations to start implementation processes now.

Project Spectrum*

Have you heard of Project Spectrum?  This web portal, developed by the Department of Defense (DoD), provides resources for organizations desiring to improve their cybersecurity readiness.

  • Register with Project Spectrum to take their Cyber Readiness Check!  The assessment tool walks the user through questions pertaining to requirements in NIST SP 800-171 and CMMC Levels 1, 2, and 3.
  • Check out independent, third-party assessments of cybersecurity-related platforms, links to articles and video recordings, and training modules on topics such as CUI, CMMC Levels, and System Security Plans.

What We Are Following

Follow FoxGuard’s Quarterly CMMC Update blogs to stay up-to-date regarding:

  • Progress on FAR and DFARS updates
  • Upcoming DoD incentives for early CMMC certification
  • Clarification and training on identifying and marking CUI
  • Allowance of Plans of Action & Milestones (POAMs) in CMMC
  • Final decisions on Third-Party Certification vs. Self-Attestation

New Blog Series – Technical Implementation of CMMC

Download FoxGuard’s latest blog on technical implementation of CMMC Levels 1 and 2 at

Need Help?

FoxGuard Solutions is a Registered Provider Organization (RPO), with Registered Practitioners ready to help with your cybersecurity readiness needs, including planning and preparation for CMMC.  You can find us on CMMC Accreditation Body Marketplace/FoxGuard Solutions.

If you are an Organization Seeking Certification (OSC) and are overwhelmed by the enormity and complexity of CMMC, consider our professional services to help you plan, implement, and maintain compliance and ensure uninterrupted eligibility for DOD work.

FoxGuard’s services will help you save time and money in your journey towards FAR, NIST, and CMMC compliance by helping to accurately evaluate the type of protected information your organization handles, identify where the information resides, and create a customized and streamlined solution for effective and thorough protection of that information.

Please visit for more information.

*FoxGuard Solutions is not endorsed by, directly affiliated with, maintained, authorized, or sponsored by Project Spectrum.

[/et_pb_text][/et_pb_column] [/et_pb_row] [/et_pb_section]