CMMC Chief Supports Internal Program Assessment

CYBER

JUST IN: CMMC Leader Supports Internal Program Review

4/8/2021
By Yasmin Tadjdeh

iStock photo

The Defense Department has launched an internal review of its burgeoning Cybersecurity Maturity Model Certification program, but the leader of the initiative says she isn’t concerned.

Katie Arrington, chief information security officer in the office of the undersecretary of defense for acquisition and sustainment and the face of the CMMC rollout, likened the assessment to a standard acquisition category, or ACAT, 1 review of major defense acquisition programs.

The review will ensure “we're during the implementation correctly internally,” she said April 8 during a webinar hosted by Deltek. “That's actually been phenomenal [at] ... helping us looking across the departments so we're not duplicating effort or anything like that.”

CMMC is a far-reaching Pentagon initiative aimed at requiring the defense industrial base to better protect its networks and controlled unclassified information against cyberattacks and theft by competitors such as China.

The new cybersecurity standards, which companies must eventually adhere to if they want to do business with the Pentagon, was first unveiled in January 2020 during the Trump administration. It includes five different security levels. The level that a company must achieve will depend on the work it is doing for the department for specific contracts.

“As is done in the early stages of many programs, the DoD is reviewing the current approach to CMMC to ensure that it is achieving stated goals as effectively as possible while not creating barriers to participation in the DoD acquisition process,” Pentagon spokesperson Jessica Maxwell said in a statement to National Defense April 1. “This assessment will be used to identify potential improvements to the implementation of the program.”

Maxwell declined to say who initiated the review, when it was launched, or when it is expected to be completed.

Meanwhile, Arrington said work on the CMMC rollout is moving forward. The Pentagon is taking a phased approach and is on track to release 15 contracts with the CMMC requirements included in them this year. Seven of those have already been released.

“We are waiting for the new undersecretary of defense for acquisition and sustainment to get onboard and get through the process” before releasing the others, she noted. “We're absolutely going to do 15. They are in queue to roll out.”

On April 2, the White House announced its intention to nominate Michael Brown, the current director of the Defense Innovation Unit, to lead the A&S office.

The contracts represent “a broad swath of programs,” Arrington said. “We didn't want it to be just one service. We didn't want it to be just one capability. We went through and we looked at large and small contracts and worked with the services.”

The plan is to release 75 contracts with CMMC requirements in fiscal year 2022, she said.

During implementation, third-party assessor organizations, known as C3PAOs, will conduct audits to certify that a company has met the required standards before it can win contracts. Contractors are responsible for paying for the audits and their efforts to come into compliance.

The new requirements are being rolled out over time. By 2026, all Pentagon contracts will include CMMC requirements. The rules are expected to affect more than 300,000 contractors in the defense industrial base.

“There are currently right now 122 provisionally trained assessors and those individuals have gone through training, they've gone through background clearances, they've gone through testing,” Arrington said.

There are also 100 C3PAO that are being assessed by a CMMC accreditation body, she said. Those organizations themselves will have to be Level 3 compliant.

Once they are certified, “they can bring the provisionally trained assessors ... under their umbrella to be able to go out to your company and actually provide you an assessment [and] do the audit,” Arrington said.

The first C3PAOs should be certified within the next 30 to 40 days, she noted.

— Additional reporting by Jon Harper

Topics: Cyber, Cybersecurity, Information Technology, Infotech

Comments (0)

Name *

Email *

Comment *

Please enter the text displayed in the image.

Characters *

Legal Notice *

NDIA is not responsible for screening, policing, editing, or monitoring your or another user's postings and encourages all of its users to use reasonable discretion and caution in evaluating or reviewing any posting. Moreover, and except as provided below with respect to NDIA's right and ability to delete or remove a posting (or any part thereof), NDIA does not endorse, oppose, or edit any opinion or information provided by you or another user and does not make any representation with respect to, nor does it endorse the accuracy, completeness, timeliness, or reliability of any advice, opinion, statement, or other material displayed, uploaded, or distributed by you or any other user. Nevertheless, NDIA reserves the right to delete or take other action with respect to postings (or parts thereof) that NDIA believes in good faith violate this Legal Notice and/or are potentially harmful or unlawful. If you violate this Legal Notice, NDIA may, in its sole discretion, delete the unacceptable content from your posting, remove or delete the posting in its entirety, issue you a warning, and/or terminate your use of the NDIA site. Moreover, it is a policy of NDIA to take appropriate actions under the Digital Millennium Copyright Act and other applicable intellectual property laws. If you become aware of postings that violate these rules regarding acceptable behavior or content, you may contact NDIA at 703.522.1820.

I have read the legal notice.

Find an Article VIEW ALL ARTICLES

JUST IN: CMMC Leader Supports Internal Program Review

Related Events

CMMC Webinar: NIST SP800-171 Revision

Comments (0)

JUST IN: CMMC Leader Supports Internal Program Review

Related Articles

‘Incredible Interest’ in Cloud Computing Program

U.S. Winning Supercomputer Race, For Now

Small Contractors Struggle with Cyber Rules

Related Events

CMMC Webinar: NIST SP800-171 Revision

Comments (0)