The first version of the new cybersecurity requirements the Pentagon wants military contractors to follow could be finalized as soon as Jan. 31.
Katie Arrington, chief information security officer for the Office of the Under Secretary of Defense for Acquisition and the point person for the Cybersecurity Maturity Model Certification (CMMC), told an audience Jan. 28 that she will have the requirements by the end of the month.
The Department of Defense is cracking down on contractor cybersecurity.
The CMMC is a tiered cybersecurity framework that grades companies on a scale of one to five. A score of one designates basic hygiene and a five represents advanced hygiene. Arrington said Jan. 28 that the lowest level will become the default for Department of Defense contracts and will include basic tasks such as changing passwords.
Forthcoming cybersecurity controls are designed to help the Department of Defense and small business work together to protect sensitive data based on tiers of systems.
Speaking at an event hosted by the law firm Holland and Knight, Arrington said the new standards won’t be in effect overnight. The auditors and assessors who will grade companies need training and new contracts will be slowly phased in.
“The likelihood that any awards will be made until 2021 [of the certification] is, I would say, highly unlikely,” she said. She noted that companies are not required to have CMMC certification until the time of award. “You have a full year to get yourselves set, to get yourself in position.”
According to one slide in her presentation, all new contracts will have the requirements in fiscal year 2026. Arrington expects 1,500 companies to be certified by the end of 2021.
The requirements are expected to be free of jargon and overly technical language that can often make military documents befuddling.
“I asked if it could be created on an eighth grade reading level. Why? Because I’m not smart and I owned a small business and I fell prey to this,” she said. “I needed it to be in something that anybody could adapt to. We hear companies all the time say my nephew is doing my cybersecurity. I need your nephew to read what I need him to do.”
The Department of Defense hosted a prototyping event to test tools that can monitor manufacturing company networks for cyber intrusions.
Arrington promised that the requirement would not become a simple checklist, because if it does “I’ve failed. We failed.”
Moreover, she suggested the framework be reevaluated at least once each year because cyber threats will continue to evolve.