Highly anticipated audits related to the Pentagon’s new Cybersecurity Maturity Model Certification process are inching closer, with auditors assigned to evaluate companies expected to complete their training by the end of September, according to the official spearheading the initiative.
Industry has been waiting with bated breath for the audits as part of CMMC implementation, which is meant to protect defense industrial base networks and controlled unclassified information from cyberattacks. Contractors will be required to meet different levels of security — Level 1 being the lightest and Level 5 the most stringent — depending on the type of work they are performing. The new rules will require contractors to be certified by third-party auditors to ensure that companies are adhering to certain standards.
Katie Arrington, chief information security officer in the office of the undersecretary of defense for acquisition and sustainment and the Defense Department’s point person on CMMC, said training for the first batch of auditors began Aug. 31.
“We’ll be starting to get some provisional assessors out into the marketplace very soon," she said Sept. 2 during the Department of the Navy Gold Coast Small Business Procurement Event. The webinar was hosted by the San Diego Chapter of the National Defense Industrial Association. "Within a couple of weeks, we should have some capability out in the environment.”
When training for the initial batch of auditors is completed “we can start rocking and rolling, at least with CMMC Level 1 certifications for companies,” she added.
Meanwhile, the Pentagon is moving through the final stages of a rule change associated with the Defense Federal Acquisition Regulation Supplement, which should be finalized by the end of November, Arrington said. DFARS 252.204-7012 and National Institute of Standards and Technology Special Publication 800-171 are the current regulations for storing, transmitting and processing defense information. Once the rule change is complete, the CMMC rules will be inserted into requests for proposals, Arrington said.
Eventually, every company which makes up the defense industrial base — about 300,000 — will need to be CMMC compliant, she said. The vast majority, about 270,000, will be required to achieve Level 1 certification.
The government is already putting in CMMC language into some contracts, Arrington said. For example, the General Services Administration’s contract for its STARS III program — which was posted in July — said the agency “reserved the right” to have CMMC implemented in future task orders.
“You're going to see several other DoD [indefinite-delivery/indefinite-quantity contracts] rolling out in the same manner,” Arrington said. “We're asking them to put it in and reserve the right.”
While RFPs with the new cybersecurity rules inserted are expected in November, Arrington noted that industry will not have to be compliant until the time of contract award.
“Your company will still have the time and the opportunity to get certified,” she said. “We're hoping that industry jumps in as soon as we get these provisional assessors out there, [and that] companies start requesting to get their CMMC certification sooner rather than later to position themselves in an environment to be successful.”
Additionally, assessments will be good for three years and will apply to all of the work a company does with the Defense Department, Arrington said.
The Pentagon had originally planned to have assessments conducted in-person, but Arrington said some parts of that will have to be done online due to the ongoing COVID-19 crisis.
“One of the learning curves in all of this has been the understanding that this is going to have to be somewhat virtual,” she said.
In fiscal year 2021, the Pentagon plans to have 15 contracts with CMMC rules included, she said. That will involve about 1,500 companies. Of those, 895 will be at Level 1; 149 at Level 2; 448 at Level 3; four at Level 4; and four at Level 5, according to Arrington’s presentation slides.
By fiscal year 2022, the Pentagon plans to have 75 contracts with a CMMC requirement involving 7,500 additional companies, according to her slides. In 2023, there will be 250 contracts involving 25,000 companies; and in both 2024 and 2025, there will be 479 contracts involving 47,905 companies. Starting in 2026, all new Defense Department contacts will contain the cybersecurity requirement.