Katie Arrington, the newly minted chief information security officer for the assistant defense secretary for acquisition, speaks at the 10th annual Billington CyberSecurity Summit on Sept. 5, 2019, in Washington, D.C. Billington Summit courtesy photo by Nathan Mitchell.
Bidders for Air Force contracts, or any Pentagon business, will have to get certified as cybersecure before they can win the work starting next year, according to Katie Arrington, the newly minted chief information security officer for the assistant defense secretary for acquisition.
Arrington told the Billington CyberSecurity Summit in Washington, D.C., on Sept. 5 that the new Cybersecurity Maturity Model Certification framework, or CMMC, is out in draft form for public comment. It would start appearing as a requirement in pre-solicitation acquisition documents like RFIs in June. "In the fall, we will start putting it into [actual bid solicitation documents like] RFPs," she said.
Arrington said she wanted industry input to try to slim down the draft CMMC, which incorporated "a multitude of standards and controls that we basically rolled into a single document … It’s mind-blowingly massive," at present.
"I want to hear which of these controls are really important," she said, "And which aren’t useful anymore … And then map [the useful ones] onto DoD requirements."
CMMC will have five different numbered levels, depending on the sensitivity of the work the contractor will be doing, and different levels might be required for different pieces of the job, Arrington explained. Breaking the job down like that would mean that some sub-contractors with lower level certifications could only work on certain parts of the contract. "It will be tailored … It will be flexible," she said.
Ron Ross, a cybersecurity fellow at the National Institute of Standards and Technology, said this flexibility in CMMC represented a big step forward for the Pentagon, which previously had sought to enforce cybersecurity through a blanket application of NIST information security standards. “When you try to apply a broad-brush requirement across a vast community” of stakeholders with widely varying capabilities, “the outcome is not a happy one,” he said.
“You have paving contractors at the Pentagon, and you have people supporting a Navy submarine program working on stealth technology. Those are not the same thing, right? We need to tailor our requirements to the level of criticality involved,” Ross concluded.
Arrington said the department would work with contractors to get them up to speed on the new requirements, “We’re going to walk them through the process,” she said, contrasting that with the way the department had imposed the NIST standards. “We didn’t help industry do it, we just told them: Do it,” she said.
Companies that want to get CMMC certification will have to go to third party auditors, Arrington added, rather than merely self-attesting, as they currently do with the NIST standards. “It’s trust but verify, and we couldn’t make that work with self-attestation because there’s no way to verify it,” she said.
In acquisition terms, she said, the new cyber certification “won’t be a source selection issue” where contractors are scored on a variety of factors. Instead, “It will be a go/no go decision” meaning contractors that have the certification can get the work and those that don’t have it, can’t. “We need to level-set that security requirement into [DoD] culture,” she said.
Making CMMC a requirement would also mean that contractors would be able to pass the costs along to the government. “We know that security costs money,” she said, “But we need to understand exactly what it is we’re paying for. The level-set of the CMMC will help us do that.”