Ellen Lord, under secretary of defense for Acquisition and Sustainment and 2020 Wash100 Award recipient, after the announcement of the new cybersecurity regulations, emphasized the concerns that the Department of Defense (DoD) had with its supply chain concerning sensitive and unclassified government data, and discussed the three new changes with the implementation of the Cybersecurity Maturity Model Certification (CMMC).
First, Lord noted the reasoning behind the new regulations, citing vulnerabilities within the department’s supply chain. She emphasized the national security threat that contractors and subcontractors face from advanced cyber adversaries. She noted, in the past year alone, cyber attacks resulted in approximately $600 billion dollars of global GDP lost through cyber theft.
Second, Lord set forth an estimated timeline for the integration process. She noted that DoD will implement a “crawl, walk, run” approach as CMMC is integrated.
DoD has projected that complete implementation of CMMC will occur by 2026. Lord stated that this year, DoD intends to select third party accreditation vendors, to be called “C3PAOs,” and will publish a new DFARS regulation in late spring or in early summer. CMMC will add requirements to ten procurements at the end of this year with contractors and subcontractors expected to meet all applicable CMMC requirements at the time of award.
Third, Lord addressed the new Accreditation Body (AB). The AB will supervise training, quality and administration of the C3PAOs. It will have 13 members from the defense industrial base, cybersecurity community, and academic community who self-nominate to join.
She noted that DoD is currently drafting a memorandum of understanding (MOU) with the Accreditation Body that will outline the roles, rules and responsibilities of the parties.
Finally, Lord answered questions that contractors have had since CMMC has been released. She clarified that DoD will not seek to modify current contracts to apply the CMMC retroactively. Additionally, DoD said that subcontractors will only need to be certified to the appropriate level based on the data that they receive or develop and the work they will perform on a contract.
Therefore, according to the type of work, it will be possible that a Level 3 procurement could have Level 1 subcontractors. CMMC accreditation will be effective for three years.
Katie Arrington, chief information security officer at the Office of the Assistant Secretary of Defense for Acquisition and a 2020 Wash100 Award recipient, will serve as a keynote speaker at the CMMC Forum 2020. She will address the CMMC’s timeline, how the certification process could change and will provide a memorandum of understanding with a newly established CMMC accrediting body.
A full expert panel will include Ty Schieber, senior director of executive education and CMMC-AB chairman of the University of Virginia and Richard Naylor of the Defense Counterintelligence and Security Agency (DCSA) among other members of the federal sector and industry.
Register here to join Potomac Officers Club for its CMMC Forum 2020 on April 2nd to learn about the impact DoD’s CMMC will have on cybersecurity practices, supply chain security and other aspects of the federal market.