Katie Arrington Envisions CMMC to Become Basis for Global Security Standard

Katie Arrington, the chief information security officer for the assistant secretary for defense acquisition, wants the Department of Defense’s Cybersecurity Maturity Model Certification to serve as a basis for a global security standard.

In line with the DoD’s goal, Arrington told the participants of an online event hosted by Bloomberg Government that the Five Eyes intelligence partners are working on updating their cybersecurity standards.

Citing America’s annual $60B loss due to bad cybersecurity, the 2020 Wash100 winner expressed hope that the CMMC program would be a solid return on investment, MeriTalk reported.

However, Arrington said the DoD understands cost realism, hence the additional costs of certification into rates for defense contracts.

The official set the cost limit for obtaining a Level 1 certification under CMMC at $3K, noting that anything beyond that would indicate a failure on the DoD’s end.

About 285K of the existing 300K federal contractors are expected to gain Level 1 certification while only 15K of the qualified businesses are estimated to apply for Level 3, Arrington said.

While Level 1 certifications range from no-cost control measures and good practices like changing passwords, Arrington regarded the fourth and fifth certification levels as “very exquisite and expensive” to obtain.

The CMMC is scheduled for partial implementation by 2022 and a full rollout by the end of 2025.

As of early April, the CMMC Accreditation Body said it was still selecting Certified Third-Party Assessment Organizations.