Katie Arrington, CISO for acquisitions at the Department of Defense, has suggested it might be necessary to revise the CMMC standard to address the high costs associated with validating procurements at the very top of the tiered model. “There’s a lot of discussion I think yet to be had on level four and five,” she noted. Arrington questioned whether there is a return-on-investment in implementing all of the controls at each of those top levels, as department officials accept that vendors will include the cost of the cybersecurity certification in their proposals.
