CMMC standards for non-defense contractors could be coming
The Department of Defense‘s push to secure its leaky supply chain from cyberattacks might “rapidly” become a standard for civilian agencies too.
Katie Arrington, the Pentagon’s CISO for acquisition and sustainment, said Thursday that she has met with Chris Krebs — the head of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) — to discuss the DOD’s new Cybersecurity Maturity Model Certification (CMMC) and how it could translate eventually to civilian, non-defense federal contractors.
Arrington was said she believes CMMC “will become a federal standard for the whole of government rapidly.” But, a CISA official was more cautious about amplifying CMMC beyond its defense acquisition purposes, saying “civilian agencies operate under separate acquisition authorities and CMMC is a DOD-specific program.”
“CISA is certainly following the development of CMMC with great interest and it’s likely that civilian agencies will naturally benefit from CMMC implementation,” the official told FedScoop. “Due to that overlap, we aim to harmonize our cybersecurity approaches as much as possible, including on directives.”
CMMC is a tiered system where defense contractors must be vetted by a third-party assessor on a five-level scale for the maturity of their enterprise cybersecurity. Every contract — from other transactions agreements to Small Business Innovation Research (SBIR) contracts and even grants — will be marked with a corresponding CMMC level that bidding contractors must meet to bid for a contract. Every one of the more than 350,000 defense contractors will need to be certified under CMMC.
Arrington also added that beyond possibly becoming a federal-wide standard, CMMC could become a part of international standards. CMMC was built to be in line with U.S. allies’ cybersecurity standards.
“I think the CMMC will become the basis for a global cybersecurity standard,” she said.
The news comes as the CMMC Accreditation Body is still working out several critical pieces in getting the ambitious program off the ground. That board is a non-profit that oversees the standards, training and certification of third-party assessors — those companies that will do the heavy lifting of certifying contractors. How that training will take place amid the coronavirus and social distancing is still being worked out, Arrington said.
“We will figure out the new way we go about doing business,” she said.
Currently, the DOD is working on a Defense Federal Acquisition Regulation rule change to incorporate CMMC into contracts by the fall with requirements landing in requests for information as soon as this summer. CMMC’s full rollout is expected to be complete by 2025.
Costs will come
The accreditation body is also working to align CMMC with the Federal Risk and Authorization Management Program (FedRAMP). While FedRAMP only certifies cloud environments, Arrington said she wants to ensure that contractors can minimize the economic burden of working with the government and not having to go through two separate certification processes.
“We understand there is going to be a cost to this,” Arrington said. “If somebody is FedRAMP certified we will offer reciprocity to them,” she added later. Similarly, the DOD announced last year that it will give cloud vendors a reciprocal authorization to operate when they’ve already received a FedRAMP Moderate certification.
How much that reciprocity will cover is unclear. John Weiler, a founding board member of the CMMC board, previously highlighted the differences between CMMC and FedRAMP.
“FedRAMP is certifying a specific platform for government use; CMMC is not solving that same problem,” he said in early April.
The vast majority of defense contractors will only need to meet CMMC level one, the lowest standard with only 17 required controls. Arrington estimates this level will cost $3,000 every three years for contractors to maintain.
On the other hand, only a fraction of a percent of the defense industrial base will need to certify at level five — a hugely expensive regime of cybersecurity standards, she said.
Arrington added that the third-party assessors will not be able to offer products to the company’s they vet, in an attempt to eliminate conflicts of interest. The assessors will only be allowed to charge contractors for the service of testing their networks. Any solutions to the problems they find will have to be bought separately on the CMMC board’s marketplace.