The Intelligence and National Security Alliance continues to deliver top leaders in the DoD and for yesterdays on the record discussion, helped listeners to better understand the ins and outs of the Cybersecurity Maturity Model Certification (CMMC).
Katie Arrington is the Chief Information Security Officer to the Assistant Secretary of Defense for Acquisition. She serves as the integrator within the Office of the Under Secretary of Defense for Acquisition and Sustainment to align acquisition cyber strategy and ensure the incorporation of cybersecurity efforts to provide a streamlined governance approach. This office serves to synchronize the existing disparate cyber security standards across government and industry as it relates to acquisition.
The Office of the Under Secretary of Defense for Acquisition and Sustainment recognized that security is foundational to acquisition and should not be a trade off with other factors. The office is working with stakeholders to develop the CMMC, which will review and combine cybersecurity standards and best practices, mapping these processes across different maturity levels, ranging from basic cyber hygiene to advanced (or level I, II, III and so on). For a given CMMC level, the associated controls will reduce risk against cyber threats or our adversaries. The CMMC builds upon existing Defense Federal Acquisition Regulations (DFAR) that 1500-1750 companies will need to be certified at in 2021.
Arrington notes at the beginning of the discussion, “We are living in interesting times, but the CMMC is going to continue, and we are not stopping or letting up on the gas.” We are now at the 17 day mark until interim rule becomes effective on December 1. We will see which 15 contracts will be in the first community of interest next week.
It will take five years for assessors to perform audits.
Arrington advises that if you’re not in the first 15 contracts in year one that will be mandatory for self-assessment into the Supplier Performance Risk System (SPRS), that you get your certification lined up. Everyone should be securing the CMMC certification and she’s “hoping this is a wake-up call for companies to register their own assessment in the supplier risk platform.”
How is DoD working to ENSURE CMMC wont stifle competition?
Arrington notes that this plan took a lot of thought and care. Previously, in industry, it was not equal for small businesses compared to large contractors. They’re hoping when it comes to awards, the CMMC will serve as “go or no-go decision” (i.e. you’re either level I or you simply aren’t). The office wants companies to define their own destiny, and they want small companies to grow and mature.
Security is not one size fits all policy, so we’ll see Requests for Proposals (RFP) come out that could require a prime contractor to be a level III with the subcontractors required at level I. Contractors need to ensure their teams are meeting these requirements through NDA’s as opposed to marketing their certification on open-source platforms. Do we want to make it easier for our adversaries to target companies if they are marketing what level CMMC certified they are? We think not.
Arrington also touched on handling controlled unclassified information, the DoD’s instruction, and the implications CMMC has on handling, and that the Federal Acquisition Security Council and task force is doing to ensure that software products utilized by the government and contractors do not have inherent risks on US national security. She says they are diligently working to get any nefarious products out of our infrastructure per section 889 of the National Defense Authorization Act (NDAA).
COVID-19 and telecommuting has solidified the notion that we should be working in a zero-trust environment when it comes to DevOps, SecOps and Cybersecurity.
“We are not slowing down,” Arrington says. “The adversaries are not waiting or taking a pause – they are working every day to negatively affect our supply chain. The CMMC is here to help you critically think about your posture for cybersecurity.”
So, contractors, mark your calendars. December 1 is the start of a new day in the DoD where cybersecurity is foundational to acquisition, critical to US commerce, and imperative to US national security.