In spite of the current crisis, the DoD is pushing forward on its Cybersecurity Maturity Model Certification (CMMC), which will roll out certain programs this fall. To learn more about what this new system means for contractors, Billington CyberSecurity held a virtual roundtable on May 8, 2020 where CMMC movers and shakers answered questions from CEO Thomas Billington and a virtual audience.
Katie Arrington, Chief Information Security Officer for the Undersecretary of Defense, Department of Defense, believes the pandemic may actually cement important cybersecurity changes.
“World War II changed the way we built things. 9/11 created a universal standard: there are very few places in the world where you can go to an airport and get on a plane and not have to go through some security. COVID-19 has changed the paradigm of our work. DoD were the folks that, you’ve got to go into the office, and we’ve come out gangbusters about teleworking.”
Ty Scheiber, Board Chairman for the CMMC Accreditation Body, says his rallying cry is, “We must make this happen! Our objective is to take the model and establish and implement a standard that’s consistent. It’s consumable, it’s clear. Most importantly, it’s both affordable and effective.”
He promises standards will be rolled out shortly.
“We’ve made great progress in terms of getting the structure to the ecosystem, getting those definitions so that we can start letting people know what to expect, what’s in it for them, in what capacity and what the requirements are.”
Mark Fox, Senior Manager for Defense Mission Programs at Amazon Web Services (AWS), which has just put up their official CMMT portal, says businesses are focused on reciprocity that allows the leveraging of existing cybersecurity controls. But he cautions that “even if the biggest and broadest reciprocity controls are set out, at the end of the day, there is no easy button…to turn on an environment and you are 100% accredited.”
Katie’s instructions were: “Make this affordable, easy for small businesses because we cannot lose them. We’re trying to reduce costs, not build them. We’re trying to reduce bureaucracy and the time to get things done.”
To that end, her department shrunk a 300+ page Defense Acquisition document down to a 12-page compliance guide.
Katie urges every business to get their cybersecurity controls in place.
“We need to make security foundational. You shouldn’t wait to implement these cyber standards and these controls. We’ve given you all the tools. Whether you have to go through the certification or not, you should be doing them. Don’t wait for the government to tell you, ‘Get right.’ Get right for yourself.”
To view the webinar, please visit Preparing for the CMMC Requirements.