The Defense Department (DoD) may just be beginning to implement its new cybersecurity standards for the defense industrial base, but the head of the program said on April 16 she is aiming for the certification program to become the “basis for a global standard” on security.
DoD’s Cybersecurity Maturity Model Certification (CMMC) program is still in its early stages. Among the latest news on the program was a statement by a member of the board of the CMMC Accreditation Body in early April that no Certified Third-Party Assessment Organizations (C3PAOs) had been selected yet, and that selection of C3PAOs was still “very much a work in progress.”
Calling CMMC the new “Federal standard” in cybersecurity, Katie Arrington, DoD’s CISO for acquisition who heads up the program, said this week that CMMC was built with “an international flare.”
During an online event hosted by Bloomberg Government, Arrington said the Five Eyes intelligence partners (United States, Australia, Canada, New Zealand, the United Kingdom) are already “moving out” with updates to their cybersecurity standards.
“I think CMMC will become the basis for a global standard,” said Arrington of the CMMC process authorized by Section 1648 of last year’s National Defense Authorization Act.
With the U.S. suffering an estimated annual loss of $600 billion because of bad cybersecurity, Arrington said she is hoping for a solid return on the investment through CMMC.
“We understand that this is a cost [for businesses],” Arrington said, but added that DoD understands “cost realism,” and is building the additional costs of certification into rates for defense contracts.
Arrington said “we’ve failed” if the total cost of obtaining a Level 1 certification under CMMC is more than $3,000 for a business.
Businesses must get certified once every three years under CMMC, and Arrington estimated that 285,000 of the 300,000 Federal contractors will get the Level 1 certification. This first level of certification includes 17 no-cost controls, said Arrington, and “good practices” like changing passwords. She added that a Level 2 certification will “probably never been seen as a request” for most businesses.
Calling it a “big jump” between Level 1 and Level 3 certifications, Arrington estimates only about 15,000 Federal contractors approved to handle Classified Uncontrolled Information will apply for Level 3. This third level of certification requires 110 controls outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171.
Currently, companies self-attest whether they have met the NIST controls. A company that implements only 70 of the 110 NIST controls is now “technically acceptable” with the department, Arrington said.
The CMMC’s highest certifications will be rare. Arrington estimated that 0.06 percent of all contracts will be Level 4, and 0.06 percent of contracts will be Level 5, calling these certifications “very exquisite and expensive” to obtain.
Arrington said she expects the full rollout of the CMMC process to take five years, with half of contracts requiring certification by 2022, and all contracts requiring certification by the end of 2025.
“We don’t want to put anyone out of the bid process,” Arrington said, adding “You’ll start seeing it in select contracts this year.”
Every company has to go through the CMMC Accreditation Body, the only group authorized to certify C3PAOs, to obtain certification. Arrington said the first training classes for the process are scheduled to begin in early May.