Work continues on CMMC rollout amid coronavirus disruption

Katie Arrington speaks during a press briefing at the Pentagon, Washington, D.C., Jan. 31, 2020. (DoD photo by Navy Petty Officer 2nd Class James K. Lee)


Written by

The rollout of the Department of Defense‘s new cybersecurity standards and certification process will continue on-track despite the coronavirus’ disruptions to the Pentagon’s workforce, top program officials said Thursday.

The nonprofit board that leads training of third-party assessors under the Cybersecurity Maturity Model Certification (CMMC) signed a memorandum of understanding with the DOD this week that “formalized” its authority to certify those cybersecurity assessors, the board’s chairman Ty Schieber said Thursday.

CMMC will require all defense contractors to hire third-party assessors that have been accredited by the board and that will certify they meet one of the model’s levels of cybersecurity. If a contractor does not receive a CMMC certification, it will not be allowed to bid on defense contracts.

“Work does continue,” Katie Arrington, the CISO to the undersecretary for acquisition and sustainment, said Thursday during a virtual event on CMMC’s impact. “We are working a tremendous amount in the virtual environment.”

CMMC will have five levels of security needs: starting at level 1, with the lightest standards and the most common requirement, and going to level 5, for the highest standards around controlled unclassified information.

DOD will put the requisite CMMC level requirements as language in contract documents. Arrington said the department’s plans to have requirements phased into 10 requests for information this summer continue as normal, as does the larger hope that CMMC requirements will be in every DOD contract by 2025.

The board is now working to “operationalize” the newly codified relationship with the DOD, Schieber said. That means beginning the accreditation process for potential third-party assessors soon.

Arrington added that she is exploring ways to use video conferencing for instructions as assessments start.

False CMMC advertisement

During the event, Schieber warned that some companies have been falsely advertising themselves as certified CMMC testers — despite there being no such thing, yet.

He said that while progress continues and some companies are positioned to eventually become certified assessors, that process hasn’t yet kicked off, so no companies have been certified.

Undersecretary for Acquisition and Sustainment Ellen Lord has warned of this prior. “Unfortunately, the Department has learned that some third-party entities have made public representations of being able to provide CMMC certifications to enable contracting with DoD,” she said in a statement. “To be clear, there are no third-party entities at this time who are capable of providing a CMMC certification that will be accepted by the Department.”

Despite having to cancel in-person meetings for the several working groups and different boards under the umbrella of the accreditation board, Schieber said the ‘“the pace accelerates from here” on working to get CMMC implemented.

-In this Story-

Cybersecurity Maturity Model Certification (CMMC), defense industrial base, Department of Defense (DOD), Katie Arrington