DOD CISO: CMMC Rule Change to Benefit Small Businesses

Katie Arrington, chief information security officer for acquisition at the Department of Defense, believes that small businesses will benefit from a rule change on the Cybersecurity Maturity Model Certification. Speaking on the program Government Matters, Arrington said the current self-attesting rule promotes uneven competition among defense contractors, adding that the CMMC was launched to lower the entry-level standards for non-traditionals and small businesses. The 2020 Wash100 winner believes that the rule change will become public by May, MeriTalk reported Monday.

Arrington also explained that the CMMC was developed to evolve standards amid the changing threats and cyber ecosystem.

The CMMC will offer three-year accreditation certifications and a communication link to expedite the delivery of cyber threat notifications to businesses, Arrington said.

She told host Francis Rose she expects the rule change to become public by May.  The whole purpose of the CMMC was making a unified standard so we could lower the barrier for entry for those non-traditionals and small businesses,” she said. “The CMMC is a go, no-go decision,” Arrington said. “You either are or you’re not ready.”