The Department of Defense’s (DoD) Cybersecurity Maturation Model Certification (CMMC) program is in the process of being rolled out to every contract in the Defense Industrial Base (DIB) over the next five years, and the program is expected to help organizations implement Zero Trust practices, Katie Arrington, the Pentagon’s CISO for acquisition and sustainment, said May 5.
There is also a Zero Trust memorandum being worked on by the DoD’s Office of the Secretary of Defense (OSD) that is in the drafting process, Arrington said at an ATARC virtual event.
“We’re moving forward with … this big push right now on zero trust,” Arrington said. “You know, CMMC is a part of zero trust. It is something that is to help one of our DIB partners or our DIB partners get the critical thinking around cybersecurity.”
Arrington gave no estimated timeline on when the memorandum will come out but says it is being actively worked on in collaboration with DoD Cybersecurity Deputy CIO David McKeown and acting DoD CIO John Sherman.
She noted that while this memo is a priority for the DoD OSD, it should not be expected to be an easy fix or instant solution.
“That’s one of the misnomers on that … we get these buzzwords, and we think that there is an easy button, and you press the easy button, and everything’s better,” Arrington said. “And it’s not. Zero trust is a complex culmination of different capabilities, processes, policies, products. It’s just doing things to buy down the risk, continually buying down the risk.”
The CMMC program is just one part of “buying down the risk” that, in addition to making sure DIB partners are using cybersecurity best practices, will also help ward off attacks from adversaries like ransomware. She said the major hacks of last year were just the “pebble that dropped into the pond” and the ripples are getting bigger and bigger.
“We’ve seen record numbers of ransomware attacks where small businesses just are not prepared to deal with that,” Arrington said. “We have been trying to get the word out about zero trust. How CMMC is just one part of it … Divide down the risk of adversary influence in our supply chain in our business operations.”
“The adversary is very active, and we at the Department of Defense thank gosh for CYBERCOM and our authorities in that capacity,” she added. “But [we’re] definitely very busy [with] zero trust, CMMC, and what we can do to help the DIB.”