CMMC reciprocity guidelines are still a work in progress

The Defense Department is hoping to begin rolling its Cybersecurity Maturity Model Certification program later this year, but questions remain about how reciprocity with FedRAMP will be handled.

lock and keyhole

The Defense Department's unified cybersecurity standard, the Cybersecurity Maturity Model Certification program, is slated to roll out in November. But one of the key promises made to bolster CMMC's support, that vendors be able to save money by leveraging other government cybersecurity certification programs, hasn't yet been figured out.

"Reciprocity means something, but we need to have reciprocity from companies or certification programs that actually have a basis," Katie Arrington, the Defense Departments chief information security officer for acquisition, said at the Billington Cybersecurity conference on Sept. 8.

Arrington has previously said companies should get some credit for investments they've already made in programs like the Federal Risk and Authorization Management (FedRAMP), but indicated that it and other programs aren't fully equivalent to CMMC and may require additional investments.

When it comes to programs like FedRAMP, "we have to understand that they are alike but not the exact same," Arrington said.

"Right now, FedRAMP Moderate Impact Risk is close but FedRAMP High Impact Risk is closer to the [requirements of Level] 3," she said, illustrating the differences in each of the programs' requirements.

Arrington said the CMMC Accreditation Body is working on the particulars of how such reciprocity would work and that industry should submit feedback on the issue.

Karlton Johnson, the vice chair of the CMMC Accreditation Body's board of directors, said the organization is working with DOD on ironing out reciprocity agreements with programs such as FedRAMP to make the process easier.

"We want people to do the CMMC program, embrace it, perform with it," Johnson said during the panel, adding that such arrangements will make the program easily "consumable, concise, and clear."

Johnson said the DOD's certification program will set baselines, such as small shops with a few employees meeting CMMC Level 1, upgrading to Level 2 once they start partnering with other companies, and "to start doing business with the DOD, definitely go to a Level 3."