Katie Arrington, chief information security officer for acquisition at the Department of Defense and a 2020 Wash100 award winner, told Government Matters in an interview posted Sunday about the creation of standards that third-party assessment organizations will use to evaluate and certify contractors under DoD's Cybersecurity Maturity Model Certification program.
Arrington said DoD and the accreditation body training working group have been working with Johns Hopkins University, Carnegie Mellon University and other institutions to develop the training that is standardized for all the C3PAOs and individual auditors that will come through assessments.
When asked whether the standards will evolve, she said the Pentagon will work with industry, accreditation body and the National Institute of Standards and Technology to modify the standards as cyber threats and technologies evolve.
She noted that the department’s CMMC program will share threat information to small businesses and help them with patches, updates and other cyber measures through DoD’s Cyber Crime Center and the National Defense Information Sharing and Analysis Center, among other organizations.
Arrington also addressed how DoD will mitigate the challenges that CMMC may pose for small businesses.
“The whole purpose of the CMMC was making a unified standard so that we could lower the barrier entry for non-traditional [contractors] and small businesses that may have never done or thought that they want to do work with the government before,” she said. “The CMMC is a go, no-go decision. You either are or you aren’t ready. You either are certified or you are not. There is no ambiguity. That is huge for small business plus we are willing to pay for what we need our industry to be able to do.”