Katie Arrington: CMMC, FedRAMP Working on Reciprocity

The Cybersecurity Maturity Model Certification office and the Federal Risk and Authorization Management Program Management Office are working to allow reciprocity between the two certifications, according to a DOD official.

Katie Arrington, lead of the CMMC program and a Wash100 awardee, said the FedRAMP office has reached out to her office. “You, as a taxpayer, paid for FedRAMP. I don’t want you to pay again,” Arrington said in a webinar.

The CMMC office also asked the CMMC accreditation body to give reciprocity to vendors authorized to work with the federal government through a third-party certification system like FedRAMP, MeriTalk reported Wednesday.

However, FedRAMP-approved vendors must have accomplished their plan of actions and milestones before they can qualify for CMMC certification. They need to close gaps "with the accreditation body in a way that they feel comfortable," Arrington said.

CMMC-approved vendors may be held liable if they stop practicing a security measure that initially counted toward their certification.

“We don’t want to do harm to our supply chain, what we need to do is help them get secure. First and foremost, that’s what the CMMC is about,” Arrington said.

FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.

The CMMC program was created by the Office of the Under Secretary of Defense for Acquisition and Sustainment to combine various cybersecurity standards and best practices, mapping them across a range of maturity levels.

Sign Up Now! Potomac Officers Club provides you with Daily Updates and News Briefings about Popular Voices

Join Us Now