Katie Arrington: Changes in CMMC Requirements Needed to Address Cost Issue

Katie Arrington, chief information security officer at the Office of the Assistant Secretary of Defense for Acquisition and a 2020 Wash100 winner, has recommended revisions to the Cybersecurity Maturity Model Certification program requirements.

Arrington, the DoD lead for the CMMC program, added that the modifications are necessary to deal with high costs related to validating procurements at the top of its tiered model.

The program is meant to serve as a verification system to make sure that proper levels of cybersecurity practices and processes are established.

The initiative, the requirements of which are categorized from one through level five depending on the risk level, also aims to control unclassified information in the networks of the DoD’s industry partners.

During a webinar sponsored by Project Spectrum held on Nov. 4, Arrington, a past Potomac Officers Club event speaker, said contractors being shortlisted for awards after Dec. 1 are required to submit a self-assessment review.

She added that the contractors must rate themselves from zero to 110 to show the number of controls they use from the National Institute of Standards and Technology’s Special Publication 800-171.

She noted that if entities are using over 80 of those controls, they will be deemed in need of a medium or high assessment, a level that requires assistance from the Defense Contract Management Agency personnel.

At various levels, the CMMC model includes the 110 controls of NIST’s SP 800-171, as well as other controls selected from requirements under other governments, including those in Europe.

Arrington said the level three in certification “is the 110 controls in the NIST.” “Right now it has 20 additional controls added to it. We’re open to the public comment period. So if any of you have any thoughts on those additional 20 controls, please, before November 30, you have to go in and register and submit those,” she said.