JUST IN: CMMC Leader Supports Internal Program Review
The Defense Department has launched an internal review of its burgeoning Cybersecurity Maturity Model Certification program, but the leader of the initiative says she isn’t concerned.
Katie Arrington, chief information security officer in the office of the undersecretary of defense for acquisition and sustainment and the face of the CMMC rollout, likened the assessment to a standard acquisition category, or ACAT, 1 review of major defense acquisition programs.
The review will ensure “we're during the implementation correctly internally,” she said April 8 during a webinar hosted by Deltek. “That's actually been phenomenal [at] ... helping us looking across the departments so we're not duplicating effort or anything like that.”
CMMC is a far-reaching Pentagon initiative aimed at requiring the defense industrial base to better protect its networks and controlled unclassified information against cyberattacks and theft by competitors such as China.
The new cybersecurity standards, which companies must eventually adhere to if they want to do business with the Pentagon, was first unveiled in January 2020 during the Trump administration. It includes five different security levels. The level that a company must achieve will depend on the work it is doing for the department for specific contracts.
“As is done in the early stages of many programs, the DoD is reviewing the current approach to CMMC to ensure that it is achieving stated goals as effectively as possible while not creating barriers to participation in the DoD acquisition process,” Pentagon spokesperson Jessica Maxwell said in a statement to National Defense April 1. “This assessment will be used to identify potential improvements to the implementation of the program.”
Maxwell declined to say who initiated the review, when it was launched, or when it is expected to be completed.
Meanwhile, Arrington said work on the CMMC rollout is moving forward. The Pentagon is taking a phased approach and is on track to release 15 contracts with the CMMC requirements included in them this year. Seven of those have already been released.
“We are waiting for the new undersecretary of defense for acquisition and sustainment to get onboard and get through the process” before releasing the others, she noted. “We're absolutely going to do 15. They are in queue to roll out.”
On April 2, the White House announced its intention to nominate Michael Brown, the current director of the Defense Innovation Unit, to lead the A&S office.
The contracts represent “a broad swath of programs,” Arrington said. “We didn't want it to be just one service. We didn't want it to be just one capability. We went through and we looked at large and small contracts and worked with the services.”
The plan is to release 75 contracts with CMMC requirements in fiscal year 2022, she said.
During implementation, third-party assessor organizations, known as C3PAOs, will conduct audits to certify that a company has met the required standards before it can win contracts. Contractors are responsible for paying for the audits and their efforts to come into compliance.
The new requirements are being rolled out over time. By 2026, all Pentagon contracts will include CMMC requirements. The rules are expected to affect more than 300,000 contractors in the defense industrial base.
“There are currently right now 122 provisionally trained assessors and those individuals have gone through training, they've gone through background clearances, they've gone through testing,” Arrington said.
There are also 100 C3PAO that are being assessed by a CMMC accreditation body, she said. Those organizations themselves will have to be Level 3 compliant.
Once they are certified, “they can bring the provisionally trained assessors ... under their umbrella to be able to go out to your company and actually provide you an assessment [and] do the audit,” Arrington said.
The first C3PAOs should be certified within the next 30 to 40 days, she noted.
— Additional reporting by Jon Harper