Katherine Arrington, chief information security officer (CISO) for the Office of the Under Secretary of Defense for Acquisition (OUSDA) of U.S. Department of Defense (DoD) and 2020 Wash100 Award recipient, will serve as a keynote speaker during Potomac Officers Club’s (POC) CMMC Forum 2020 on Wednesday, June 24th.
Arrington serves as the central coordinator and integrator within the OUSDA and Sustainment (OUSD(A&S)), to align acquisition cyber strategy. Since the release of the Cybersecurity Maturity Model Certification (CMMC) guidance, Arrington has announced her support for the regulation and commented on how the shift from National Institute of Standards and Technology (NIST) standards will affect both the public and private sectors.
How COVID-19 Will Affect CMMC Implementation
Arrington recently noted that the CMMC regulations will stay on track to be implemented this year, despite the COVID-19 pandemic. She stated that the largest challenge presented by COVID-19 will be conducting third-party audits of companies’ cybersecurity readiness because auditors will be required to perform on-site visits to assess compliance.
“We’re trying to figure out ways around that… I think that you’ll wear a mask, and you’ll maintain some social distance and you’ll be able to do the audit,” she said. “Just like the cable guy today — they come into your home, or they meet you, they wear a mask and we respect each other’s personal space to ensure safety for all.”
There could potentially be a two to three week delay on carrying out the first round of audits due to coronavirus, she noted. However, the potential schedule slip is expected to be “nothing of significance,” she added.
“Of course, COVID-19 is … impacting every aspect of our life,” she said. “But a two-week push on something is not going to have a massive impact on our rollout of this. … I don’t think it’s going to be anything impactful to the schedule.”
Small Businesses and CMMC
Arrington reported a rule change on the CMMC will benefit small businesses looking to work with the Defense Department. Arrington said in the current process not all businesses are certified as having met the standards set by the National Institute of Standards and Technology (NIST).
“The way the process works right now is that we all self-attest,” said Arrington. “The current default rule actually makes it uneven in competition for small businesses.”
The Department of Defense has been working with Johns Hopkins University, Carnegie Mellon University’s Software Engineering Institute, and the accreditation body training working group, to create the training that is standardized for all of the certified third-party assessment organizations and individual auditors.
“The standards should evolve,” said Arrington, noting that most contractors will have CMMC Level 1 certification. “The whole pretense of the model was to evolve as the threat and cyber ecosystem changed.”
NIST to CMMC: How it will Shift the GovCon Sector
In March 2020, Arrington stated that the new standards will be “a major undertaking, but just like we got to ISO 9000, we need to get there with cybersecurity. If we were doing all the necessary security controls, we wouldn’t be getting exfiltrated to the level that we are. We need to level the set because a good portion of our defense industrial base doesn’t have robust cyber hygiene.”
The CMMC has derrived from a variety cybersecurity frameworks and laws including NIST, DFARS, CIS and more. CMMC Maturity Level 2 (ML2) has required well-documented processes to combat risks and vulnerabilities. Each one of the 17 domains consists of various capability statements and practices that also require corresponding policies, plans and procedures.
Without the processes documented, you are not fully complying with the CMMC, showing that you cannot properly handle the information sent over from our DoD customers. There are also a few technical tools that need to be implemented to achieve a CMMC ML2, including tools to audit logs, identify vulnerabilities and spot malicious activity on the network. This can be a daunting requirement for any type or size of company.
How Contracted Work will Shift Under CMMC
Arrington said in March 2020 that DoD would not require prime contractors and subcontractors on a contract to meet the same level of Cybersecurity Maturity Model Certification requirements. She stated that the Pentagon will clarify which parts of a contract will demand different levels of certification in upcoming requests for information.
“One size doesn’t fit all for security,” Arrington said. “The subs, by what work they are doing, will need to meet a level one or level two.”
In addition, DoD has planned to begin including CMMC requirements in Requests for Information (RFIs). Notably, contractors that fail to meet the CMMC level applicable to a solicitation will be ineligible for contract award.
The requirements will flow through the entire supply chain, although subcontractors may be permitted to be certified at a lower CMMC level than prime contractors, depending on the scope and nature of the subcontractor’s intended work. Contractors should track the costs of their certifications, which are expected to be allowable in cost-reimbursement contracts.
DoD has projected full integration to occur by 2026. CMMC model will also be updated at least annually to keep up with changing threat environments and technological capabilities.
“We have a great deal of standards for cybersecurity. What we are lacking is a unified standard,” Arrington said. Through the accreditation process, DoD will be able to secure its supply chain.
Uncertainties Organizations Have with CMMC Regulations
In June 2020, DoD officials stated publicly that CMMC costs are allowable, but GovCon leaders have noted that the claim is too broad for contractors to rely on because of the wide range of costs that could be considered “CMMC costs,” including information systems to the labor, software, professional and IT investments.
The allowability of these costs depends on a number of factors, including the nature and amount of the costs, the manner in which the contractor has accounted for them and similar costs in the past, and the method for allocating such costs to government contracts.
Furthermore, in March 2020, six industry associations warned that without more clarity, the initiative could falter. “We are concerned that current plans for implementing CMMC lack sufficient clarity and predictability in key areas, and as a result may unnecessarily generate confusion, delay and associated costs. These challenges could lead to the Defense Industrial Base (DIB) being even less secure, if left unaddressed,” the letter states.
“We strongly support efforts to improve DIB cybersecurity and appreciate the department’s openness in meeting with and accepting input from industry about the CMMC during the autumn of 2019. We pledge to continue this partnership, as it is imperative that industry stakeholders and government continue to work together to ensure that the CMMC meets its overall objectives.”
To hear Arrington further discuss CMMC’s timeline, how the certification process could change and explain a newly established CMMC accrediting body, Register here for Potomac Officers Club’s CMMC Forum 2020 on Wednesday, June 24th. Don’t miss the opportunity to learn about the impact DoD’s CMMC will have on cybersecurity practices, supply chain security and other aspects of the federal market.
About The Wash100
The Wash100 Award, now in its seventh year, recognizes the most influential executives in the GovCon industry as selected by the Executive Mosaic team in tandem with online nominations from the GovCon community. Representing the best of the private and public sector, the winners demonstrate superior leadership, innovation, reliability, achievement and vision.
Visit the Wash100 site to learn about the other 99 winners of the 2020 Wash100 Award. On the site, you can submit your 10 votes for the GovCon executives of consequence that you believe will have the most significant impact in 2020.