Katie Arrington, chief information security officer at the Office of the Assistant Secretary of Defense for Acquisition and a 2020 Wash100 Award recipient, made an announcement on the accreditation body for the Department of Defense's (DoD) new Cybersecurity Maturity Model Certification (CMMC).
“It is a major undertaking, but just like we got to ISO 9000, we need to get there with cybersecurity. If we were doing all the necessary security controls, we wouldn't be getting exfiltrated to the level that we are. We need to level set because a good portion of our defense industrial base doesn't have robust cyber hygiene.
Unlike under the current DFARS 252.204-7012, CMMC will not permit contractors to self-certify their compliance. Instead, CMMC audits and accreditation will be handled by third-party vendors overseen by a nonprofit accreditation body established by DoD in early 2020.
Many contractors have stated concerns about funding for the cybersecurity regulations, but Arrington stated that DoD will make CMMC a “reliable cost.“ “Now what you need to do as an industry is help me, help you. I'm not the enemy. I'm literally the one person in government who said, “˜Hi, I'm here to help and I'm legit here to help,“ said Arrington.
CMMC accreditation will fall to third-party accreditation vendors, called “CMMC Third Party Assessment Organizations“ (C3PAOs). The auditors will begin training in the spring of 2020, and CMMC training is expected to be available online on the Defense Acquisition University website.
In addition, DoD has planned to begin including CMMC requirements in Requests for Information (RFIs). Notably, contractors that fail to meet the CMMC level applicable to a solicitation will be ineligible for contract award.
The requirements will flow through the entire supply chain, although subcontractors may be permitted to be certified at a lower CMMC level than prime contractors, depending on the scope and nature of the subcontractor's intended work. Contractors should track the costs of their certifications, which are expected to be allowable in cost-reimbursement contracts.
DoD has projected full integration to occur by 2026. CMMC model will also be updated at least annually to keep up with changing threat environments and technological capabilities.
“We have a great deal of standards for cybersecurity. What we are lacking is a unified standard,“ Arrington said. Through the accreditation process, DoD will be able to secure its supply chain.
Arrington will serve as a keynote speaker at the CMMC Forum 2020. She will address the CMMC's timeline, how the certification process could change and will provide a memorandum of understanding with a newly established CMMC accrediting body.
A full expert panel will include Ty Schieber, senior director of executive education and CMMC-AB chairman of the University of Virginia and Richard Naylor of the Defense Counterintelligence and Security Agency (DCSA) among other members of the federal sector and industry.
Register here to join Potomac Officers Club for its CMMC Forum 2020 on April 2nd to learn about the impact DoD's CMMC will have on cybersecurity practices, supply chain security and other aspects of the federal market.