Katie Arrington
Acquisition CISO
DOD
Katie Arrington: CMMC Reciprocity Guidelines Are in the Works
Katie Arrington, the Department of Defense's chief information security officer for acquisition, said the department is figuring out how to implement “reciprocity” in the Cybersecurity Maturity Model Certification Program.
"Reciprocity means something, but we need to have reciprocity from companies or certification programs that actually have a basis," said Arrington, a past Potomac Officers Club event speaker and a 2020 Wash100 awardee.
One of the promises made for the CMMC program is that companies would be able to leverage other cyber cybersecurity certification programs such as the Federal Risk and Authorization Management Program.
Arrington said that while programs like FedRAMP should give companies some credit, they are not fully equivalent to CMMC and may require further investments. “We have to understand that they are alike but not the exact same,” she said.
According to her, the CMMC Accreditation body is currently finalizing how reciprocity would work. She also encouraged industry to submit feedback on the matter.
Karlton Johnson, vice chairman of the accreditation, said his group is currently working with the Pentagon to iron out reciprocity agreements to make the process easier for contractors.
He said “we want people to do the CMMC program, embrace it, perform with it,” to make the program easily “consumable, concise and clear.”
Slated to be implemented in November, CMMC is a program that will vet government contractors based on their compliance with various cybersecurity standards and best practices.
CMMC is being designed to be cost-effective and affordable for small businesses at least at the lower levels, according to the DOD's Office of the Undersecretary for Acquisition and Sustainment.
Category: Speaker News
