March 29, 2024

Be Cyber-Compliant Or Be Gone

Katie Arrington

Mandatory cybersecurity compliance standards are here. Every RFP issued from the Pentagon from September 2020 onward will require third-party certification of cyber compliance. Katie Arrington, head of DoD’s Chief Information Security Office and a principal architect of DoD’s Cybersecurity Maturity Model Certification, is shepherding the near-final draft through industry review and comment. DoD’s goal is have have all 300,000 DoD contractors in compliance by FY26.

“It is real,” she told about 200 industry representatives at The Patuxent Partnership’s January briefing. The final model is expected to roll out in June 2020. Pacing the aisles of the room, punching the air, she told jokes and stories that make her primary point over and over.

“Do get prepared,” she said. “We need one unified standard. We need to make sure everyone is certified.”

Ms. Arrington has worked in Congress, run for Congress, and worked in the defense contracting industry. She appreciates the hurdles, and promises to seek increased financial support industry needs to reach compliance. Efforts are already making “security a billable cost,” she said.

“If you can’t afford [to reach certification] I’ll help find the money. DoD doesn’t build anything,” she said. “If I don’t have you I have nothing.”

But without rapid, industry-wide cyber compliance, everything we build will also be in the hands of our enemies, she said.

“Our adversaries stole $600 billion from us. That $4,000 per citizen after taxes,” she said. China’s theft of the F-35 was so perfect it experienced the identical cockpit problems of the US original.

“This is happening. We’re in rule change.”

“It’s been kinetic war since the dawn of time.” Someone hit someone else with something, she explained. It was physical. “The new age, new type of war, cyber, is cheaper. It has no boundaries. Its impact is bigger. It takes a long time to recover from and,” she said, “it’s easy.”

Cyber-warfare also constantly advances. Quantum computing is weakening cyber borders and 5G communications will break the bounds of space. This is within five years, Ms. Arrington said.

“You have no walls. This is why CMMC.”

There are five levels within the Cybersecurity Maturity Model Certification. Contracts that do not involve handling sensitive information will require at least a CMMC Level 1 certification, to verify that basic cyber hygiene is being practiced.

Level 1 contains 17 controls, Ms. Arrington said, such as “anti-virus software, running the scan, who in the company knows when to renew” the software. “If you can’t do level one, if it is too hard, you might want to think about what you’re doing and who you’re doing it for.”

Level 2 is largely a learning step to achieve Level 3 which has 120 controls. These “aren’t hard, nor expensive,” she said. They also reflect “good cyber hygiene.”

Levels four and five reach into critical technologies and aggressive controls.

It’s anticipated primes will need minimally a Level 3 certification, while some subs may only need a Level 1. Ms. Arrington qualified that nothing is yet firm, nor finalized, but said her goal has been to keep certification costs at $2,000 or less for Level 1 and top out at $7,500 for Level 3.

A nonprofit created by the defense industry is standing up a website with guidance on the steps to become certified. The CMMC certification requires on-site audits, which is seen as having the added advantage of identifying shell companies not operational at the firm’s submitted address. The certification will be good for three years.

The Patuxent Partnership is a nonprofit member organization that fosters collaboration between government, industry, and academia to advance education through STEM-based initiatives; to advance technology through speaker programs, forums, and networking; to advance science and technology transfer through the exchange of ideas, information, and data related to technologies; and to increase workforce development through an array of initiatives.

To learn more about The Patuxent Partnership and its programs, visit its Leader member page.

Leave A Comment