Katie Arrington: DoD’s Cyber Certification Model Could Allow for Reciprocity With FedRAMP

Katie Arrington
Katie Arrington

Katie Arrington, chief information security officer for acquisition and sustainment at the Department of Defense, said DoD considers opening the Cybersecurity Maturity Model Certification initiative up for a reciprocity process with the General Services Administration’s Federal Risk and Authorization Management program to facilitate the transition, FCW reported Friday.

“I think that there's a lot of reciprocity to be had there because it's an investment that you've already made," Arrington said Thursday a panel discussion at the CDM Summit. "The challenge is when we get certified you have to ensure for the CMMC, those POAMs, those plans of action are closed so that we can validate.”

The Pentagon issued in September a draft version of CMMC, which establishes cyber practices and standards meant to help the defense industrial base reduce exfiltration of controlled unclassified information.

Arrington noted that the department will require CMMC level 1 certification for majority of the 300K defense contractors. She said the CMMC accreditation body will hold its inaugural meeting on Nov. 19, Tuesday, and start training and certifying auditors in January.

DoD expects CMMC requirements to be included in requests for information by summer of 2020 and solicitations by fall, according to the report.

You may also be interested in...

Maria Roat

Maria Roat on Federal CIO Council’s Data-Sharing Priorities

Maria Roat, deputy federal chief information officer and a 2020 Wash100 Award recipient, has said the Federal CIO Council seeks to make investments in identity and access management as well as data-sharing protocol updates. Roat said that the council seeks to improve data-sharing across systems that handle large volumes of critical information such as the Department of Health and Human Services’ HHS Protect.