CMMC reciprocity guidelines are still a work in progress

lock and keyhole 

The Defense Department's unified cybersecurity standard, the Cybersecurity Maturity Model Certification program, is slated to roll out in November. But one of the key promises made to bolster CMMC's support, that vendors be able to save money by leveraging other government cybersecurity certification programs, hasn't yet been figured out.

"Reciprocity means something, but we need to have reciprocity from companies or certification programs that actually have a basis," Katie Arrington, the Defense Departments chief information security officer for acquisition, said at the Billington Cybersecurity conference on Sept. 8.

Arrington has previously said companies should get some credit for investments they've already made in programs like the Federal Risk and Authorization Management (FedRAMP), but indicated that it and other programs aren't fully equivalent to CMMC and may require additional investments.

When it comes to programs like FedRAMP, "we have to understand that they are alike but not the exact same," Arrington said.

"Right now, FedRAMP Moderate Impact Risk is close but FedRAMP High Impact Risk is closer to the [requirements of Level] 3," she said, illustrating the differences in each of the programs' requirements.

Arrington said the CMMC Accreditation Body is working on the particulars of how such reciprocity would work and that industry should submit feedback on the issue.

Karlton Johnson, the vice chair of the CMMC Accreditation Body's board of directors, said the organization is working with DOD on ironing out reciprocity agreements with programs such as FedRAMP to make the process easier.

"We want people to do the CMMC program, embrace it, perform with it," Johnson said during the panel, adding that such arrangements will make the program easily "consumable, concise, and clear."

Johnson said the DOD's certification program will set baselines, such as small shops with a few employees meeting CMMC Level 1, upgrading to Level 2 once they start partnering with other companies, and "to start doing business with the DOD, definitely go to a Level 3."

About the Author

Lauren C. Williams is senior editor for FCW and Defense Systems, covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at [email protected], or follow her on Twitter @lalaurenista.

Click here for previous articles by Wiliams.


  • Social Media
    Editorial credit: pcruciatti /

    They took all the tweets and put 'em in a tweet museum

    Twitter cancelled @realdonaldtrump, but the National Archives will bring presidential tweets back via the Trump library website.

  • Workforce
    Avril Haines testifies SSCI Jan. 19, 2021

    Haines looks to restore IC workforce morale

    If confirmed, Avril Haines says that one of her top priorities as the Director of National Intelligence will be "institutional" issues, like renewing public trust in the intelligence community and improving workforce morale.

Stay Connected