Katie Arrington, chief information security officer for acquisition and sustainment at the Department of Defense, said DoD considers opening the Cybersecurity Maturity Model Certification initiative up for a reciprocity process with the General Services Administration’s Federal Risk and Authorization Management program to facilitate the transition, FCW reported Friday.
“I think that there's a lot of reciprocity to be had there because it's an investment that you've already made," Arrington said Thursday a panel discussion at the CDM Summit. "The challenge is when we get certified you have to ensure for the CMMC, those POAMs, those plans of action are closed so that we can validate.”
The Pentagon issued in September a draft version of CMMC, which establishes cyber practices and standards meant to help the defense industrial base reduce exfiltration of controlled unclassified information.
Arrington noted that the department will require CMMC level 1 certification for majority of the 300K defense contractors. She said the CMMC accreditation body will hold its inaugural meeting on Nov. 19, Tuesday, and start training and certifying auditors in January.
DoD expects CMMC requirements to be included in requests for information by summer of 2020 and solicitations by fall, according to the report.