Defense

CMMC reciprocity guidelines are still a work in progress

lock and keyhole 

The Defense Department's unified cybersecurity standard, the Cybersecurity Maturity Model Certification program, is slated to roll out in November. But one of the key promises made to bolster CMMC's support, that vendors be able to save money by leveraging other government cybersecurity certification programs, hasn't yet been figured out.

"Reciprocity means something, but we need to have reciprocity from companies or certification programs that actually have a basis," Katie Arrington, the Defense Departments chief information security officer for acquisition, said at the Billington Cybersecurity conference on Sept. 8.

Arrington has previously said companies should get some credit for investments they've already made in programs like the Federal Risk and Authorization Management (FedRAMP), but indicated that it and other programs aren't fully equivalent to CMMC and may require additional investments.

When it comes to programs like FedRAMP, "we have to understand that they are alike but not the exact same," Arrington said.

"Right now, FedRAMP Moderate Impact Risk is close but FedRAMP High Impact Risk is closer to the [requirements of Level] 3," she said, illustrating the differences in each of the programs' requirements.

Arrington said the CMMC Accreditation Body is working on the particulars of how such reciprocity would work and that industry should submit feedback on the issue.

Karlton Johnson, the vice chair of the CMMC Accreditation Body's board of directors, said the organization is working with DOD on ironing out reciprocity agreements with programs such as FedRAMP to make the process easier.

"We want people to do the CMMC program, embrace it, perform with it," Johnson said during the panel, adding that such arrangements will make the program easily "consumable, concise, and clear."

Johnson said the DOD's certification program will set baselines, such as small shops with a few employees meeting CMMC Level 1, upgrading to Level 2 once they start partnering with other companies, and "to start doing business with the DOD, definitely go to a Level 3."

About the Author

Lauren C. Williams is senior editor for FCW and Defense Systems, covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at [email protected], or follow her on Twitter @lalaurenista.

Click here for previous articles by Wiliams.


Featured

  • Cybersecurity
    cybersecurity (Rawpixel/Shutterstock.com)

    CMMC clears key regulatory hurdle

    The White House approved an interim rule to mandate defense contractors prove they adhere to existing cybersecurity standards from the National Institute of Standards and Technology.

  • Comment
    cloud (Phaigraphic/Shutterstock.com)

    A call for visionary investment

    Investing in IT modernization is not an either-or proposition, Rep. Connolly writes. This pandemic has presented Congress a choice: We can put our head in the sand and pretend these failures didn't happen, or we can take action to be prepared for the future.

Stay Connected