The first steps of the Department of Defense’s (DoD’s) stronger approach to securing the defense industrial base take effect today, setting the stage for full implementation of the Cybersecurity Maturity Model Certification (CMMC) program, said Katie Arrington, the Defense Department’s (DoD) CISO for Acquisition and Sustainment.
Speaking at AFCEA International’s TechNet Cyber 2020 virtual conference today, Arrington described three new clauses in the Defense Federal Acquisition Regulation Supplement (DFARS) policies as a “crawl, walk, run” approach to improving contractor cybersecurity.
“This is a big cultural shift, as I think everyone well knows. This is the start of making cybersecurity foundational to all of acquisition,” she said.
The rules that will immediately go into effect are the requirements for contractors to provide a self-assessment of their cyber maturity under NIST SP 800-171, and the agreement to allow the government to audit a company’s cyber posture. As the “crawl” and “walk” approaches, Arrington described the logistical details of how companies can meet the new requirements, and noted that companies have had notice over the past couple of years that the changes were coming.
“We need you to [record] that so that we can trust but verify that you are doing, if not all, some of the 110 controls” that are part of NIST SP 800-171, she said.
The tough work will come over the next five years, as the CMMC program is fully implemented by the deadline of October 2025. Defense agencies will need to include the requirements in all contracts and companies will need to be audited to receive a three-year certification that they are meeting the requirements of NIST SP 800-171. Arrington noted that 15 “pathfinder” contracts – soon to be announced – will begin to include CMMC requirements in calendar year 2021. During the process, Arrington also noted that improving cybersecurity will be an allowable cost for companies bidding for contracts.
“These three clauses are a big deal, and it’s changing the game. No longer is the government relying on trust – we’re going to verify,” she said.