Other transaction agreements will be subject to the Defense Department’s unified cybersecurity standard, according to Katie Arrington, DOD’s chief information security officer for acquisition.
Rapid acquisitions for prototypes and experimental technology will be subject to the Defense Department's unified cybersecurity standard, according to Katie Arrington, DOD's chief information security officer for acquisition.
Arrington said DOD's upcoming implementation of its Cybersecurity Maturity Model Certification will apply to other transaction agreements -- a rapid contract mechanism frequently used to help develop and field prototypes.
"In an OTA, in the technical specs, they can actually call it out and say what they want," said Arrington during an April 29 NextGov webinar on CMMC.
OTAs are meant to speed the government buying process and allow DOD to buy new capabilities faster by allowing officials to sidestep competitive bidding in certain cases. But there's ample worry of potential overuse, which could invite congressional scrutiny.
Arrington's comments come as DOD has begun pushing for the use of OTAs to find and execute on solutions that can help treat or prevent the spread of coronavirus. Ellen Lord, DOD's acquisition chief, issued a memo in early April to ease the OTA process by delegating contracting authorities to heads of agencies and combatant commanders during the pandemic.
For example, the Army issued $100,000 contracts for innovative ventilator solutions that could be deployed in rural settings as part of its xTech COVID-19 Ventilator Challenge. The ongoing contest aims to produce 10,000 ventilators suitable for field operation in eight weeks and uses OTAs.
As for cyber concerns, Arrington said because OTAs operate "outside" the Federal Acquisition Regulation and largely benefit small businesses, which can be the most vulnerable when it comes to cybersecurity, CMMC is even more important.
"That's where we need to ensure that we're putting those levels of CMMC in," she said. "If you're doing some grant work, we do need to make sure the institution or the department or the network that you're doing this work on understands the risk...Everybody's vulnerable."