The Department of Defense is figuring out how to incorporate its Cybersecurity Maturity Model Certification program in contracts offered by the Department of Homeland Security, according to the official helming the initiative.
The CMMC program will ultimately require all defense contractors have their cybersecurity practices certified by a system of independent third party auditors. As it is now, companies simply pledge their adherence to security controls detailed in standards issued by the National Institute of Standards and Technology.
Rules to implement the program are expected to be finalized as early as next month and have caused some heartburn within the contracting community. But the program is being rolled out in phases—15 prime contractors, and all their subcontractors, are being selected to undergo assessments this year—and won’t be fully applicable until 2025.
That led one participant during a virtual meeting hosted by the Armed Forces Communications & Electronics Association Thursday to suggest organizations might even want to deprioritize complying with the CMMC’s requirements.
“I wouldn’t put it on the backburner,” said Katie Arrington, the chief information security officer for Defense acquisitions. Arrington is in charge of implementing the program and took questions during the event. She consistently stresses the inevitability of the CMMC and the utility of the model across the government.
“There will be a cyber requirement in every department of defense contract,” she said, adding, “This is rolling out to other federal agencies. The next one is DHS, we’re going to…work through DHS to start implementing the CMMC on their contracts.”
Last year Arrington promised that 2021 would see two federal agencies adopt CMMC requirements and the General Services Administration has now mentioned it in two of their government wide acquisition vehicles.
Arrington said the department is waiting on the new administration to review the first contracts to be selected.
“We thought it was only fair that these contracts would be executed under their administration,” she said, “so for them to approve and be made aware,” would be correct.
But while the pilot projects are important for establishing an adjudication baseline, Arrington said, companies can be proactive in obtaining certification from the CMMC Accreditation Body, which she estimates has trained and certified 130 independent assessors.
“You should have readily available by spring early summer, a practitioner certified in a geographical area near you,” she said. “If you wanted to go out and get a certification you could, you do not need to wait.”