The interim rule for the Cybersecurity Maturity Model Certification (CMMC) was posted in the Federal Register on Sept. 29, opening a public comment period for the amended regulation, which is scheduled to become effective November 30.
The Department of Defense (DoD) amended the Defense Federal Acquisition Regulation Supplement (DFARS) to help protect controlled unclassified information (CUI) in the defense industrial base (DIB) by a process of auditing cybersecurity practices of DIB companies.
“We’re at the point now where we have solid ground to stand on as we move through the CMMC rule,” said DoD’s Katie Arrington, the CISO in the department’s acquisition office, speaking at the ComDef Forum on Sept. 29. The rule, submitted as an unpublished document the day prior, was published in the Federal Register before her remarks.
Arrington, who has been involved with the CMMC process dating back to its initial rollout earlier this year, called Tuesday’s rule publication a “first step,” and urged work with international partners to increase security.
“The likelihood that a vendor in the U.K. working on satcom development isn’t going to get hit at the same time a development in the U.S. is, is slim to none,” she said. “We need to get better at getting ahead of that.”
The key, Arrington explained, is information sharing both between and within countries.
“The big thing to get over is our barriers on information sharing between government and the [intelligence] communities to the industrial base,” Arrington said.
She called CMMC “absolutely foundational,” adding that the next steps are furthering information sharing and a better understanding of illumination tools that show the risk.
Earlier this year, Arrington said she thought the “CMMC will become the basis for a global standard” in cybersecurity.
She estimated that about 285,000 of the approximately 300,000 Federal contractors in the DIB will get the Level 1 certification under the new standard.
The department plans include CMMC requirements this year in “10 Requests for Information (RFI) and 10 Requests for Proposal (RFP),” according to information published earlier this year by Amazon Web Services, which, according to its website, is collaborating with DoD and the CMMC Accreditation Body on the requirements and certification process.