Katie Arrington, chief information security officer at the office of the assistant secretary of Defense for Acquisition and Sustainment and a 2020 Wash100 Award recipient, said the Cybersecurity Maturity Model Certification (CMMC) framework does not aim to punish companies for failing to anticipate cyber breaches like the SolarWinds hack but to protect them from negligence, Breaking Defense reported Friday.
“SolarWinds wasn’t normal. No one is going to take that against you and take your certification away against a nation-state actor penetrating in a way that has never been done before — absolutely not,” Arrington said at an AFCEA event.
In mid-December, the Cybersecurity and Infrastructure Security Agency released an emergency directive directing all federal civilian agencies to mitigate a compromise that threat actors are exploiting in SolarWinds’ Orion Network Management products. The breach was believed to be carried out by hackers from Russia.
CMMC seeks to help companies build a security baseline to compete for contracts with the Department of Defense and incentivize them for meeting expectations.
“If you get hit by something like SolarWinds, which everybody is going through right now, you’re not going to lose it over that. That’s something that the TTP was new. Nobody had planned for that,” said Arrington. “But if you come in, and there’s a cyber incident at your company and it happened because you weren’t deploying your multi-factor authentication, then you do run a risk.”