Katherine Arrington, chief information security officer (CISO) for the Office of the Under Secretary of Defense for Acquisition (OUSD(A&S)) at the Department of Defense (DoD) and 2020 Wash100 Award recipient, will serve as a keynote speaker during Potomac Officers Club’s (POC) Fall 2020 CMMC Forum on October 7th.
In her role, Arrington serves as the central hub and integrator within the Office of the Under Secretary of Defense for Acquisition and Sustainment, OUSD(A&S), to align acquisition cyber strategy.
As the cyber lead and programmatic analytic advisor for strategic cyber programs, Arrington is responsible for conducting analysis within the major defense acquisition program portfolio and across the Department of Defense (DoD).
Arrington was recently featured during Potomac Officers Club’s Spring 2020 CMMC Forum where she outlined the implementation process of the Cybersecurity Maturity Model Certification (CMMC).
If you missed the virtual event, you can still register to watch the footage in Potomac Officers Club’s Event Archive.
During her keynote address, she discussed how to prepare for the initial stages of the certification. She unpacked the various ways the DoD has prepared for integration, including pathfinders, requests for information (RFI) and training the CMMC accreditation body (AB).
“Pathfinders are current contracts from the DoD that we are working through to map from the primes to the subs. We are doing that with contracts with NDA. We’ve gone in to look at the contractors and their level of security to complete these contracts,” Arrington said.
As Arrignton discussed the RFIs, she noted that a level 3 certification would require an in person audit. Arrington elaborated on the ways COVID-19 has presented new issues with the auditing process due to social distancing and the new regulations that have become the “new normal.” However, once the auditors graduate in approximately a month, DoD will release RFIs.
Since her address, there have been new specifications for CMMC as the certification matures and entering the final stages. In early August, The Department of Defense (DoD) reported that it is track with the final step to begin integrating Cybersecurity Maturity Model Certification (CMMC) requirements into contracts.
DoD is now waiting for the Office of Management and Budget (OMB) to clear a rule change to the Defense Federal Acquisition Regulations (DFAR) in order for it to incorporate clauses in solicitations directing the inclusion of CMMC requirements into contracts.
“We are still tracking right along for the DFARs rule change,” Arrington said. “That has not deviated.”
Additionally, DoD has accepted applications for third-party certifiers (C3PAO) in late June, who are expected to graduate by early August. Arrington noted that final requests for proposals (RFPs) for certification services are expected to be released in the fall, but awards in calendar year 2020 are unlikely. She also stated that companies will not need certification until time of award.
Arrington reported in June that she expects CMMC to certify 7,500 companies by 2021. She told attendees during a webinar that the Department of Defense (DoD) plans to release requests for proposals that include Cybersecurity Maturity Model Certification (CMMC) version 1 requirements following the implementation of amendments in the Defense Federal Acquisition Regulation Supplement (DFARS).
She noted that she anticipates these solicitations to be released in September or October 2020. “I think that five years from now, it’s part of a national standard, it’s part of how we do business,” added Arrington.
As the first RFPs quickly approach, it is essential that organizations and companies shift gears to CMMC preparation. CMMC is not just about fixing a gap or implementing a control, it’s about an organizational behavior, such as Practice Maturity and Process Maturity, which is essential for Level 3 and higher.
During Potomac Officers Club’s Fall CMMC Forum, Arrington will analyze the meaning of “process maturity” and the concept of “evidence” of maturity. You will hear from additional federal and industry leaders who will discuss the requirements and priorities of implementing the certification, including scoping of CMMC assessments, supply chain impacts and C3PAOs.