The new cybersecurity standard for contractors in the Department of Defense’s (DoD) supply chain ecosystem is soon to have regulatory backing, according to Katie Arrington, CISO for Acquisition and Sustainment at the DoD.
“The Secretary [of Defense], the deputy, the service chiefs, and the service acquisition executives all unanimously agree we need something,” said Arrington of a cybersecurity standard for contractors, speaking on September 8 at the Billington CyberSecurity Summit. The Cybersecurity Maturity Model Certification (CMMC) was created earlier this year to ensure a baseline of cybersecurity at companies in DoD’s industrial base.
Arrington said the CMMC is in a “DFAR rule change right now,” referring to the Defense Federal Acquisition Regulation Supplement to the Federal Acquisition Regulation (FAR), which provides uniform acquisition policies and procedures for the DoD. “We are intending it to be finalized by November of this year,” she said.
“I’ve never seen a rule move as rapidly through the process,” Arrington said of the progress that the Office of Management and Budget (OMB) is making with the rule.
“We have to be vigilant,” said Karlton Johnson, vice chair of the board of directors for CMMC Accreditation Body – the organization responsible for the implementation of the new standard. “We have to stand the line,” he said at today’s event, adding, “CMMC is that line.”