CISA’s Coming Supply Chain Guidance to Align with Pentagon’s Vendor Certification Program 


Accreditation officials also pledged to address how the Cybersecurity Maturity Model Certification program will treat FedRAMP and other certifications.

A Cybersecurity and Infrastructure Security Agency task force will release supply chain guidance that incorporates aspects of the Pentagon’s Cybersecurity Maturity Model Certification program, a CISA official said. 

The Defense Department’s CMMC will require that vendors meet specific cybersecurity requirements and get certified by a third-party auditor before working with the department. As Defense officials continue to hammer out the details of the new program, they have been collaborating with CISA’s Information and Communications Technology Supply Chain Risk Management Task Force.

Continued collaboration with the CMMC program will be important, Robert Kolasky, director of CISA’s National Risk Management Center and government co-chair of the public-private task force said, “to make sure that we suck in the way that questions are being asked of the defense industrial base and translate that into other markets in a similar way.”

Unlike CMMC, CISA’s “supply chain essentials” guidance will be voluntary for federal agencies and private sector entities within the 16 critical infrastructure sectors under CISA’s remit—industries that control energy, water, finance and other essential functions all increasingly rely on information and communications technology—to use. Kolasky, however, offered enthusiastic support for the DOD program. 

He joined Katie Arrington, chief information security officer for DOD’s acquisitions office, Ty Schieber, chairman of the board of the CMMC accreditation body, and others during a virtual symposium AFCEA hosted on the issue today.       

“I applaud Katie and her team for championing CMMC, something I truly think has the potential to be a watershed rising tide that lifts all boats with trust and assurance in the digital world,” Kolasky said. “The companies that will go through the CMMC process also do business with the civilian government, where my agency has a clear network security mission. They also do business with the owners and operators across the 16 critical infrastructure sectors that CISA coordinates management activities with.”

Kolasky said he expects the CMMC will translate into higher levels of security in suppliers across government and stressed that, particularly in the information and communication technology ecosystem, “it’s impossible to separate one particular critical infrastructure sector from another, or the .mil from the .gov.” 

The supply chain essentials document the CISA task force is working on will include a list of questions customers—whether they be the government or industry—should ask of their suppliers about their cybersecurity.

Kolasky said this will ensure suppliers understand security expectations.

“CMMC is a terrific start to a framework that’s going to make a meaningful difference,” he said. “It’s one of those requirements that creates more certainty for businesses and ultimately should incentivize security in a rational manner that will leave the country better off.” 

Take It to the Cloud

The AFCEA panelists also discussed the utility of cloud providers within the context of CMMC.

Arrington, for example, specifically asked CISA analyst Robert Hanson to comment on the benefits of cloud service providers to small businesses that may not inherently have cybersecurity expertise.

“Getting help from vendors who do this for a living, who have economies of scale in actually implementing secure solutions, in implementing some of the infrastructure that isn’t just a server sitting in a basement or something like that is hugely beneficial,” Hanson said. “So there is help, there are vendors who your companies should be able to partner with.”

The accreditation board’s Scheiber also touched on the extent to which they would relate CMMC to the government’s cloud security certification program known as FedRAMP. Contractors that have already gone through the work and costs of getting FedRAMP-certified want to know whether that satisfies CMMC requirements.  

And while CMMC-AB board member John Weiler has said FedRAMP and the CMMC are not exactly congruent, Scheiber today sought to reassure companies the board will address their concerns.  

“The issue of reciprocity is clearly something that’s on everybody’s minds, ours as well,” he said.

“We recognize, whether you’re FedRAMP, [International Organization for Standardization], whatever standard you’ve already gone through and paid for … it’s something we need to focus on.”

Scheiber said the accreditation board has had “conversations with the full spectrum” of government organizations and allied nations with a stake in the issue. The board and the DOD’s program management office are “working through a process that we can use to kind of, in a deterministic and standard method, approach the issue of reciprocity.”

“Coming soon is our intended approach to resolving that very important issue,” he said, noting there should be an influx of new information on the CMMC-AB’s website within the next few weeks.