Katie Arrington, chief information security officer for the Office of the Assistant Secretary of Defense for Acquisition, says DoD will review a final version of its planned Cybersecurity Maturity Model Certification on Friday and share some key implementation details.
Once a final rule implementing the model is incorporated into DFARS 252.204.7012, defense contractors will no longer be able to self-certify their compliance with NIST’s cybersecurity framework. However, some contractors are balking at the cost of compliance and the stringency of the new requirements.
During a Q&A at the offices of Holland and Knight, Arrington questioned why contractors who are already self-certifying compliance with their contractual obligations would be concerned that DoD will soon require third-party certification. “For those of you who are attesting that you’re doing the 171, and you say it’s too high of a barrier to get compliant to level 3, I ask why,” Arrington said. “If you’re already attesting on your contracts that you’re doing it, and I’m just saying I need you to prove that you’re doing it, and you’re telling me that’s too much of a burden to bear, I struggle with that.”
Arrington noted that lower tier certification should not be costly, and that DoD will only write CMMC into new contracts. RFPs incorporating the model aren’t expected until October, after the implementing regulations are finalized.
DoD also will release an RFI for a database housing information for the accreditation body. That system will be portaled into contractors’ SAM identification numbers.