An official website of the United States Government 
Here's how you know

Official websites use .gov

.gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS

A lock ( lock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

You have accessed part of a historical collection on Some of the information contained within may be outdated and links may not function. Please contact the DOD Webmaster with any questions.
Immediate Release

Realignment of Responsibility for Cybersecurity Maturity Model Certification (CMMC) Program

On Feb. 2, Deputy Secretary of Defense Kathleen H. Hicks directed the realignment of responsibility for the Cybersecurity Maturity Model Certification (CMMC) program. With this directive, the responsibility for the program transitions from the USD(A&S) to the DoD CIO.  

This realignment will also move the team of six DoD civilians, with contract support, responsible for administering the program, from USD(A&S) to DoD CIO.

"I'd like to highlight the great work by A&S to establish the CMMC program,” said Hon. John Sherman, DoD CIO. “As we realign responsibility for the program, it's important to note that we will continue to work closely with A&S on this program. The CMMC team, led by Stacy Bostjanick, will be aligned under the Deputy CIO for Cybersecurity to increase the program’s integration with other Defense Industrial Base Cybersecurity programs. We are moving out in the coming weeks on the rulemaking process and look forward to continuing critical collaboration with industry stakeholders."

The Department has taken this action to consolidate industry-related cybersecurity programs under common leadership and direction to enable increased synergy and collaboration across the Defense Industrial Base (DIB) Cybersecurity programs.

In the coming weeks, the CIO will begin submitting proposed changes to the Defense Federal Acquisition Regulation Supplement (DFARS) rule-making process to ensure maximum collaboration on these requirements.

For more on how CMMC 2.0 differs from its predecessor changes, visit