Official: Reciprocity Memos on DOD’s Cybersecurity Certification Program Are Ready

Alexander Supertramp/Shutterstock

Prospective contractors will get credit toward the requirement for approvals by three existing public and private auditing programs.

The Defense Department and the pending nonprofit organization working to implement a new certification program for all contractors have agreed on terms for accommodating companies that have already been audited for cybersecurity and related memos are set to be signed, according to a leading official.

The Cybersecurity Maturity Model Certification, or CMMC, will replace a current system of Defense Department contractors simply pledging their adherence to cybersecurity standards issued by the National Institute of Standards and Technology. It will require companies to undergo audits by independent third parties—overseen by the Cybersecurity Maturity Model Certification Accreditation Body, or CMMC-AB, which is waiting on the Internal Revenue Service to grant it tax exemption status.

As many services are cloud-based, members of the contracting community have been eager to inherit the benefits of actions those providers might have already taken to validate the security of their systems, including through the Federal Risk and Authorization Management Program, or  FedRAMP, which is controlled by the General Services Administration. 

Defense officials sought to assure contractors that CMMC auditors would consider FedRAMP certifications, but no such reciprocity was mentioned in an interim CMMC rule the department made effective Nov. 30.

Speaking at an event hosted by CompTIA Tuesday, Katie Arrington, the chief information security officer for Defense acquisitions, said CMMC will officially provide reciprocity for FedRAMP audits, as well as those the DOD’s own Defense Industrial Base Cybersecurity Assessment Center has been conducting since the summer of 2019 and by the International Organization for Standardization, or ISO.  

“I'm going to take any ISO 27001 and provide reciprocity,” Arrington said, referring to the foundational international information security standard. “We're giving reciprocity for the DIBCAC assessments that have already been done. And we're giving reciprocity when it comes to FedRAMP. Those memos are up in the office of the undersecretary to be signed out...we've agreed upon all of those terms with the AB, the CIO, and the other stakeholders.”

Arrington explained a little more about how reciprocity for FedRAMP—which, like CMMC, has a tiered structure based on risk levels—will work. She stressed that unlike FedRAMP, which credits companies for submitting a plan of action and milestones, or POA&M, CMMC will be approving companies based purely on where they are at the time of review.

“A CMMC level 3 is a FedRAMP moderate, so if you’re using a cloud service provider to supplement portions of a CMMC 3, then absolutely, you need to have the [cloud service provider’s] certification for the assessor. The contractor with the assessor needs to show proof of this,” she said. “The difference between CMMC and FedRAMP is we are not allowing plans of action to get better, right, you either are or you aren't.”

Arrington said the Air Force is expected to issue the very first contract with CMMC requirements, with a request for proposals coming in the middle of March. Others would be dropping every two weeks, she said.