Speaking at the Billington Cybersecurity conference last week, Katie Arrington, the Defense Departments’ chief information security officer for acquisition, said DoD has not yet figured out how vendors will be able to save money under the Cybersecurity Maturity Model Certification by leveraging other government cybersecurity certification programs. Those cost savings have been one of the key selling points of the program. Arrington has previously said companies should get some credit for investments they’ve already made in programs like the Federal Risk and Authorization Management, but indicated that it and other programs aren’t fully equivalent to CMMC and may require additional investments.
