Katie Arrington, Cybersecurity Maturity Model Certification (CMMC) lead and CISO for acquisition at the Department of Defense’s (DoD) Undersecretary of Defense, confirmed that the CMMC and FedRAMP (Federal Risk and Authorization Management Program) offices are working on a way to grant reciprocity between the two certifications.
“They’ve [FedRAMP Program Management Office] already reached out and they’re working through that reciprocity,” she said at the April 29 Unpacking the CMMC webinar. “You, as a taxpayer, paid for FedRAMP. I don’t want you to pay again.”
Arrington explained that the CMMC office has asked the accreditation body (CMMC-AB) to give reciprocity for any vendor that has the authority to operate with the Federal government through a third-party certification system, such as FedRAMP. There is, however, a condition.
“Cloud providers that are FedRAMP-approved, to get the reciprocity, are going to have to close their POA&Ms [Plan of Actions and Milestones] and they’re going to have to adjudicate their POA&Ms to get [CMMC],” Arrington added. Even cloud service providers that have FedRAMP high approval will have to close gaps “with the accreditation body in a way that they feel comfortable,” she said.
Arrington also commented on the idea of whether CMMC-approved providers would be held liable for cybersecurity shortcomings after certification. She asserted that she wouldn’t use the word “punishing” to describe holding CMMC-approved vendors accountable.
“If you [the CMMC-approved vendor] fall off and you don’t do two-factor authentication, you are certified and you are doing it but you stop doing it, and that is found to be the cause of why a breach happened, you can be liable. That’s the point of all this,” she said.
However, she further clarified, “We don’t want to do harm to our supply chain, what we need to do is help them get secure. First and foremost, that’s what the CMMC is about.”