CyberBytes Issue Brief #1: A conversation with Katie Arrington, CISO for Acquisition and Sustainment at the DoD, and Andrew Stewart, CAPT, USN (Ret.), Senior Federal Strategist at Cisco.
The Future of CMMC in 2021.
With the recent SolarWinds hack still reverberating through the news, everyone is wondering about cybersecurity advances in the DoD. This made the debut of the Billington Federal CyberBytes podcast especially timely. Intended to supply crucial, easily digestible information from military and industry experts, we dove right in with a discussion of the Cybersecurity Maturity Model Certification (CMMC), one of the major initiatives the DoD is pursuing to improve cybersecurity among its contractors. We were thrilled at the opportunity to discuss this important subject with Katie Arrington, a tireless advocate for CMMC in her role as CISO for Acquisition and Sustainment at the DoD, and Andrew Stewart CAPT, USN (Ret.), Senior Federal Strategist at Cisco.
We asked Katie if she could forecast where CMMC would be in the coming year. She predicted that by the end of September, 2021, “we’ll have had at least 15 large contracts come out and start the acquisition process. We’ll have in range of about 2000 companies that have been through the CMMC certification. We’ll start looking at more federal agencies. We’ll have agencies like DHS coming along at that point, because we’ll have been able to work through the nuances of the model through this first part of 2021, into the springtime.” She also predicted the DoD would start CMMC level four and five assessments in just a few months, around March to April.
Katie is excited by changes in how companies in the DIB view cybersecurity. “Cybersecurity is finally being taken into the C suite level,” she says, “and it is a part of what a company thinks about as basics. You know, what do we do? Are we cyber secure?” She’s especially excited by the increased understanding of and appreciation for NIST in small businesses. In the last two years, she says, “I’m even surprised how far we’ve gotten.”
Cisco’s Andrew Stewart is also bullish on CMMC. “The outcome is not about trying to patch more holes in the dam,” he says. “It’s about fundamentally improving the DIB approach to cybersecurity practices and procedures that strengthens an entire foundation. So security and networking solutions should work as a team.”
We are grateful that Katie and Andrew took the time out of their busy schedules to talk to us, and appreciate all their efforts to keep our country safe. We’re also very proud of our first podcast. It’s a great start to an exciting project.