Katie Arrington of the Department of Defense said DoD’s move to come up with a new cybersecurity certification model seeks to get a better oversight of the defense supply chain, Federal News Network reported Thursday.
DoD issued on Wednesday a draft version of the Cybersecurity Maturity Model Certification, which establishes cyber standards and practices meant to help the defense industrial base reduce exfiltration of controlled unclassified information.
“Every company within the DoD supply chain — not just the defense industrial base, but the 300,000 contractors — are going to have to get certified to do work with the Department of Defense,” Arrington, chief information security officer for DoD’s office of the assistant secretary of defense for acquisition, said at the Intelligence and National Security Summit.
Arrington cited the Pentagon’s use of the cybersecurity framework to facilitate discussions about the defense supply chain.
“We get everyone on a level-set playing field for cybersecurity, and then we can really start looking at our supply chain, where our most and greatest vulnerabilities lie and how we can work together in a collaborative event with industry,” she said.
Arrington said she sees the model as a way to shift from disparate requirements toward a framework focused on securing the defense supply chain.
The draft CMMC v0.4 has five levels ranging from basic cyber hygiene to highly advanced practices and consists of 18 domains, including access control, asset management and incident response.
Public comments on the draft model are due Sept. 25.