The Defense Department (DoD) Office of Under Secretary Acquisition of Sustainment is creating a new certification model to streamline DoD’s cybersecurity acquisition processes, Special Assistant to DoD’s Assistant Secretary of Defense Acquisition for Cyber Katie Arrington said at the Professional Services Council Federal Acquisition Conference today.
Arrington announced that she is working on the Cybersecurity Maturity Model Certification (CMMC) that she is working on with Johns Hopkins University Applied Physics Laboratory and Carnegie Mellon University Software Engineering Institute to “review and combine various cybersecurity standards into one unified standard for cybersecurity.”
The new certification looks to expedite DoD’s cybersecurity acquisition processes, which Arrington said is important because security is the foundation of defense acquisition.
“Defense acquisition only will function in a secure environment,” Arrington said. “So cost, schedule, and performance cannot be traded for security.”
Cybersecurity contracts DoD looks to issue will have required CMMC levels once the certification is released, and the levels will range between levels one and five – a range between basic cyber hygiene requirements and “state-of-the-art” cybersecurity capabilities. The levels will also need to capture both security control and the institutionalization of processes that enhance cybersecurity for Defense Industrial Base (DIB) companies, Arrington added.
Arrington said she aims to complete the CMMC by January 2020, and industry can expect to start seeing the certification in contract requests for information by June 2020, and in requests for evidence by September 2020.
Arrington highlighted other features of CMMC, including how it must be semi-automated and cost-effective enough so that small businesses can achieve a minimum level-one certification with CMMC. CMMC will also include a center for cybersecurity education and training, and its model “will be agile enough to adapt to emerging and evolving cyber threats to the DIB sector,” Arrington added.
Within CMMC, a third-party cybersecurity certifier will also conduct audits, collect metrics, and information risk mitigation for the entire supply chain.
As Arrington and her team continue to develop CMMC, she said that they look to industry for help in creating it. Between this July and August, they will travel to San Diego; San Antonio; Huntsville, Ala.; Tampa, Fla.; Boston; Washington; Phoenix; Detroit; Colorado Springs, Colo.; Seattle; and Kansas City, Mo., to hold listening sessions and industry days.
Arrington stressed that with the increasingly interconnected nature of government and industry in data security, it is critical for public-private sector collaboration in developing the certification.
“With 70 percent of my data living in your environment, I’m home, so we need to work together to secure it,” Arrington said. “Who is the government? You are when you’re the taxpayer. That’s your money. That’s your data that you have paid for that our adversaries are taking and using it against us. We should be infuriated as a nation about our data. With $600 billion a year being expelled by our adversaries; this room should be irate.”