Katie Arrington: DoD’s Cyber Certification Framework Seeks to Better Understand Defense Supply Chain

Jeff Brody
Katie Arrington

Katie Arrington of the Department of Defense said DoD’s move to come up with a new cybersecurity certification model seeks to get a better oversight of the defense supply chain, Federal News Network reported Thursday.

DoD issued on Wednesday a draft version of the Cybersecurity Maturity Model Certification, which establishes cyber standards and practices meant to help the defense industrial base reduce exfiltration of controlled unclassified information.

“Every company within the DoD supply chain — not just the defense industrial base, but the 300,000 contractors — are going to have to get certified to do work with the Department of Defense,” Arrington, chief information security officer for DoD’s office of the assistant secretary of defense for acquisition, said at the Intelligence and National Security Summit.

Arrington cited the Pentagon’s use of the cybersecurity framework to facilitate discussions about the defense supply chain.

“We get everyone on a level-set playing field for cybersecurity, and then we can really start looking at our supply chain, where our most and greatest vulnerabilities lie and how we can work together in a collaborative event with industry,” she said.

Arrington said she sees the model as a way to shift from disparate requirements toward a framework focused on securing the defense supply chain.

The draft CMMC v0.4 has five levels ranging from basic cyber hygiene to highly advanced practices and consists of 18 domains, including access control, asset management and incident response.

Public comments on the draft model are due Sept. 25.

You may also be interested in...

GAO: DHS Chief Acquisition Officer Must Improve Vetting of Components’ Procurement Executives

The Government Accountability Office (GAO) has released a report stating that the Department of Homeland Security’s (DHS) chief acquisition officer needs to improve the assessment of DHS units’ component acquisition executives (CAE). GAO said Tuesday that the DHS chief acquisition officer selects CAEs that handle DHS components' acquisition-related policies, workforce, data colection and reporting functions.