The Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) rule marks a crucial step toward strengthening DoD’s cybersecurity posture, and a senior Pentagon tech official expressed confidence on Tuesday that the rule will take effect despite a more general anti-regulation climate being put into place by the Trump administration.
In October 2024, DoD released the final rule for the CMMC program that requires Defense Industrial Base (DIB) contractors and subcontractors to implement necessary security measures for Federal Contract Information and introduce new security requirements for Controlled Unclassified Information related to specific priority programs.
Stacy Bostjanick, director of DIB cybersecurity in DoD’s Office of the Chief Information Officer, said she views CMMC as a solution to the DoD’s current regulatory process, which she argued “does not help us keep pace with current [cybersecurity] threats”
“I view CMMC as the roll, before the crawl, before the walk, before the broader implementation,” she said at the Zscaler Public Sector Summit in Washington, D.C. on March 25.
“With every new program … we’re going to have to adapt as we go forward,” Bostjanick said. “Today, we are meeting the zero trust requirements within the department, but if it is the protection we need, I can see it evolving into something we need on a larger scale.”
The CMMC rule is set to take effect in fiscal year 2025, but a 60-day regulatory freeze imposed by the Trump administration has delayed it. Though the freeze was recently lifted, an executive order also required agencies to repeal 10 existing rules for every new one.
However, Bostjanick said she remains confident that the Trump administration will ultimately back the necessity of CMMC.
“We’re working through that … to make sure that we are protecting ourselves, we’re going to have to work our way through that,” Bostjanick said.
“If we want to protect our lifestyle, we want to protect the way that we in this nation have grown to be the innovators and the leading edge for technology that we need to protect that data,” she said.
