As the first Cybersecurity Maturity Model Certification (CMMC) RFPs quickly approach, it is essential that organizations and companies shift gears to CMMC preparation. CMMC is not just about fixing a gap or implementing a control, it's about an organizational behavior, such as Practice Maturity and Process Maturity, which is essential for Level 3 and higher.
Potomac Officers Club’s Fall CMMC Forum will feature Katie Arrington, Chief Information Security Officer at the Office of the Assistant Secretary of Defense for Acquisition and a 2020 Wash100 Award recipient, as a keynote speaker. She will analyze the meaning of “process maturity” and the concept of “evidence” of maturity.
The Defense Department’s (DoD) current interim rule for CMMC will take effect on Dec. 1, 2020, Arrington recently stated. The interim rule that implements the CMMC program was posted in the Federal Register on Sept. 29 with a call for public comment.
The CMMC program will create a range of mandatory, audited cybersecurity standards for all companies participating in the defense industrial base (DIB). Version 1.0 of the CMMC rule was rolled out by DoD in Jan. 2020.
“The [CMMC] rule change goes into effect on December 1 of this year,” Arrington said. “As of December 1, cybersecurity is in all contracts” issued by DoD after that date, she said. Arrington added that DoD “may need to adjudicate” some of the comments that were filed in the public comment proceeding, which will take place in Jan. and Feb. 2021.
Arrington added that DoD finalized its statement of work with the CMMC Accreditation Body (AB), which is in charge of operationalizing CMMC assessments and training within the DoD contractor community, and other communities will implement the CMMC. “We are moving forward,” Arrington concluded.
As CMMC is placed in effect, other federal agencies have announced the certification integration. Keith Nakasone, deputy assistant commissioner for acquisition within the General Services Administration’s (GSA) office of information technology category, said GSA will continue to integrate cybersecurity requirements into governmentwide acquisition contracts to help ensure the security of sensitive data.
Nakasone said the security controls will be aligned with the DoD’s CMMC program and the addition of such requirements will not be a “one-and-done type of deal.” GSA added CMMC requirements to the $50 billion STARS III GWAC that was launched in July for small IT contractors.
“We know that this is a very complex process that we have to build out within our acquisition solutions, but I think over time, you’ll see some injection, whether it’s from the Federal Acquisition Regulations, from the [National Institute of Standards and Technology] revisions that are up and coming… we definitely see a movement in ensuring that our IT systems are protected,” Nakasone said.
In Oct. 2020, the Department of Homeland Security (DHS) also announced that it will investigate how CMMC can apply to the supply chain. DHS procurement and acquisition professionals are working with several vendors on supply chain pilots that would include CMMC, said Thresa Lang, DHS acting chief information security officer.
“DHS is interested in these kinds of innovations because it’s important for us to be promoting our economy and our security,” Lang said.
Within DHS, the Cybersecurity and Infrastructure Security Agency (CISA) has issued binding operational directives to agencies for safeguarding information systems to aggregate threat intelligence and develop mitigations for supply chain vulnerabilities.
“We’re starting to work with vendors to make sure that they understand what they can do for their supply chains, that they understand the controls that are required, and that they are using components and equipment that they’re very comfortable with,” Lang said. “So a lot of this is procurement … a lot of it education, and I think a lot of it comes down to just getting the right information and making sure everyone understands it.”
During Potomac Officers Club’s Fall CMMC Forum, you will hear from additional federal and industry leaders who will discuss the requirements and priorities of implementing the certification, including scoping of CMMC assessments, supply chain impacts and C3PAOs.
“I think that five years from now, it's part of a national standard, it's part of how we do business,” said Arrington in regards to CMMC integration.