Katherine Arrington, chief information security officer (CISO) for the Office of the Under Secretary of Defense for Acquisition (OUSDA) for the Department of Defense (DoD) and 2020 Wash100 Award recipient, served as a keynote speaker during Potomac Officers Club’s (POC) CMMC Virtual Forum 2020 on June 24th.
If you missed the virtual event, you can still register to watch the footage in Potomac Officers Club’s Event Archive.
Barry Barlow, senior vice president and chief of staff at Perspecta and 2020 Wash100 Award recipient, introduced Arrington by providing an overview of her knowledge and expertise within the sector and federal government. Barlow also mentioned that Cybersecurity Maturity Model Certification (CMMC) will have a critical impact on the industry as companies adapt to the new regulations.
Since the release of the CMMC guidance, Arrington has announced her support for the regulation and commented on how the shift from National Institute of Standards and Technology (NIST) standards will affect both the public and private sectors.
Arrington opened the keynote address by defining CMMC and noting that the certification has been in progress for 18 months. She reassured the audience that COVID-19 will not have drastic changes on the implementation process. “We do not have another day to wait,” she said.
In preparation for the certification implementation, Arrington discussed the various ways the Department of Defense (DoD) has prepared for integration, including pathfinders, requests for information (RFI) and training the CMMC accreditation body (AB).
“Pathfinders are current contracts from the DoD that we are working through to map from the primes to the subs. We are doing that with contracts with NDA. We’ve gone in to look at the contractors and their level of security to complete these contracts,” Arrington said.
As she discussed the RFIs, she noted that a level 3 certification would require an in person audit. Arrington elaborated on the ways COVID-19 has presented new issues with the auditing process due to social distancing and the new regulations that have become the “new normal.” However, once the auditors graduate in approximately a month, DoD will release RFIs.
“We can’t take proprietary information off of a contractor’s site, so we would have to be able to look at your SEP at your physical location, Arrington explained. “We in the government are going to be right there with the industry. We are going to stick with you all to get this right.”
After addressing the auditing process, Arrington dissected how DoD plans to allocate pricing for CMMC. She noted that if companies will participate in pilot programs, then the government will cover the costs of the auditing process. She did also note that it will not be attributional.
The non-attributional audit means that the company cannot own the level of certification that they’ve attained through the pilot audit process. They can only use it for the one contract they had audited. While the audit will not have long term effects, Arrington said that it will provide companies with a test run for the official CMMC implementation and audit process.
“The pilot audits can be used as a tool for preparation and modification, but when it comes to the RFP, you will have to get an audit that your company pays for that you will own for three years,” Arrington specifically mentioned.
In addition, Arrington discussed the role that the accreditation body will play in business and acquisitions. While there have been concerns revolving around the auditors creating challenges and, as a result, creating a loss of revenue. Arrington confirmed that the accreditation body will work with industry to create “a model that works equally.”
“We have worked so hard to ensure that the system treats organizations equally and fairly and that the process has an adjudication baseline. Two auditors should be able to look at the same information and get the same conclusions,” Arrington expanded. “You absolutely have the right to have a different auditor come in if you disagree with the conclusions from the initial audit.”
Arrington noted that you do not have to have a CMMC certification until the time of a particular contract award. However, she added that it is imperative to prepare for CMMC ahead of time.
“Do not wait on CMMC. If you have the DFAR rule on your contract, then you are self-attesting that you are doing 110 of those controls, so do not wait,” she emphasized.
She also discussed some of the concerns that have come from both industry and federal sectors in terms of developing a unified cybersecurity maturity model. Arrington said that previous models that have caused challenges in the implementation and adaptation process.
“You are our partner industry. We need you. We didn’t do this because we wanted to get you out of the system, we need to ensure that we would have you in the long-term,” she detailed. “We will make sure that our partners have a great foundation to build off of. We all understand what is going on and I know you do too. We will work together to take this further than just the DoD,” Arrington concluded.
In case you missed the event, click here to replay POC’s CMMC Virtual Forum.
Mark your calendars for Potomac Officers Club’s Future Virtual Battlefield Virtual Event on July 22, 2020.
Maj. Gen. Maria Gervais, director of Synthetic Training Environment Cross-Functional Team with Army Futures Command, will serve as a keynote speaker at the virtual event. She will address how the federal government and defense agencies continue to integrate more emerging technologies.