DOD Official: Upcoming Cybersecurity Requirements Could Still Significantly Change Based on Industry Feedback


Defense Acquisitions CISO Katie Arrington highlighted cost concerns and encouraged public comments toward a final rule on the department’s planned certification program.

The Defense official in charge of rolling out the department’s Cybersecurity Maturity Model Certification program suggested it might be necessary to revise the standard to address high costs associated with validating procurements at the very top of its tiered model. 

“There's a lot of discussion I think yet to be had on level four and five,” Katie Arrington, the DOD’s CMMC lead, said. “Is it all the controls in level four? Or is it a you know, à la carte that you need to be able to meet 50% of the controls in level four, to get certification? Because it's very expensive. And is there the [return on investment] on implementing all those controls? Do we need to modify the CMMC?”

Department officials realize and accept under a new rule that vendors will include the cost of the cybersecurity certification in their proposals.

Arrington briefed members of the defense contracting community Wednesday during a webinar hosted by Project Spectrum, an education and training initiative supported by the department’s Office of Small Business Programs.

The CMMC program aims to replace a system of accepting contractor testimonials about their cybersecurity posture with one where all entities within the defense industrial base have been audited by an independent third party. The requirements will vary relevant to the level of risk—one through five—they present.  

Public comments are due at the end of November on an interim CMMC rule that will take effect on Dec. 1. A final rule, which will factor in those comments, can be expected by February, Arrington has said.

According to Arrington, contractors being considered for awards after Dec.1 must have submitted a basic, self-assessment where they give themselves a rating from zero to 110, reflecting the number of controls they employ from the National Institute of Standards and Technology’s Special Publication 800-171. If entities are using more than 80 of those controls, she said, they will be considered in need of a medium or high assessment, which would involve personnel from the Defense Contract Management Agency. 

But DCMA’s defense industrial base cybersecurity assessment capability can only handle about 90 assessments a year, Arrington said. That’s where CMMC’s third-party auditors come in. 

Eventually–by October 2025—everyone within the defense industrial base must be audited by an external entity, with basic self-assessments translating into level one of the CMMC model.

The CMMC model, at various levels, includes the 110 controls of NIST’s SP 800-171, as well as other controls curated from requirements under other governments, including those in Europe.

Arrington said those elements are up for discussion, and could change based on comments DOD receives.

“The level three in the CMMC is the 110 controls in the NIST,” she said, for example. “Right now it has 20 additional controls added to it. We’re open to public comment period. So if any of you have any thoughts on those additional 20 controls, please, before November 30, you have to go in and register and submit those.”  

Arrington estimates only 0.06% of Defense contractors will need to comply with requirements at the very top of the five levels outlined in the CMMC model. But she foresees them being “the biggest conversation pieces that we'll be having over the next six months.”

“We have to be judicious with our budgets,” she said.