Katie Arrington, CISO for acquisition at the Department of Defense, says a rule change on the Cybersecurity Maturity Model Certification (CMMC) will benefit small businesses looking to work with the Defense Department.
Arrington said in the current process not all businesses are certified as having met the standards set by the National Institute of Standards and Technology.
“The way the process works right now is that we all self-attest,” said Arrington, on the program Government Matters. “The current default rule actually makes it uneven in competition for small businesses.”
While host Francis Rose said that the first group of cyber evaluators for the CMMC program could be trained and ready to go by the end of April, Arrington provided a May estimate for the default rule change becoming public.
“The whole purpose of the CMMC was making a unified standard so we could lower the barrier for entry for those non-traditionals and small businesses,” Arrington said.
“The CMMC is a go, no-go decision,” Arrington said. “You either are or you’re not ready.”
The Department of Defense has been working with Johns Hopkins University, Carnegie Mellon University’s Software Engineering Institute, and the accreditation body training working group, to create the training that is standardized for all of the certified third-party assessment organizations and individual auditors.
“The standards should evolve,” said Arrington, noting that most contractors will have CMMC Level 1 certification. “The whole pretense of the model was to evolve as the threat and cyber ecosystem changed.”
Arrington said accreditation will be good for three years, but that the CMMC process opens an important communication link between businesses and the Department of Defense Cyber Crimes Center (DC3) that will help notify businesses of cyber threats quicker.
Last week, six industry groups sent a letter to Arrington and Ellen Lord, under secretary of defense for acquisition and sustainment, asking for additional clarity and predictability in the plans for implementing CMMC.
“We are concerned that standing up a completely new third-party auditing process that will enable enterprise scale audits in 2020 is very ambitious and believe that more clarity about the CMMC’s scope and applicability is needed, if the timeline is to be met,” said the groups Alliance for Digital Innovation, BSA: The Software Alliance, Cybersecurity Coalition, Information Technology Industry Council, Internet Association, and The Computing Technology Industry Association.