Keith Nakasone, a senior acquisition official at the General Services Administration (GSA), said this week that his agency has held what he called “very early” talks with other Federal agencies aimed at spreading the use of the Cybersecurity Maturity Model Certification (CMMC) security standard through more of the Federal government.
Perhaps most notably, the CMMC standard is being instituted by the Department of Defense (DoD) for contracts that it makes with companies in the Defense Industrial Base (DIB). DoD is in the process of rolling the certification model out to all its contracts over the next five years. GSA also is at work at incorporating the maturity model requirement into some of its contracts.
Nakasone, who is deputy assistant commissioner, IT Acquisition, Office of Information Technology Category, Federal Acquisition Service at GSA, explained during a Feb. 17 online event organized by AFFIRM that GSA is mapping the CMMC model through its contracting regulations, and wants the flexibility to be able to inject the requirement as time goes on.
He also said other Federal agencies – he did not name them – “have come forward and said we are interested” in pursuing a similar course with the maturity model. Nakasone said GSA is “in very early discussions about that,” and described the engagement on the subject as “active.”
Speaking at the same event, Katie Arrington, DoD’s CISO for acquisition and sustainment, said CMMC has “opened the door for cybersecurity as a service,” adding that “already we have cloud service providers creating a model” for CMMC security requirements.
Arrington also said the DoD is “in the process” of building out a national cyber certification program. The national certification DoD is working on will be built off the foundation of the CMMC program, Arrington said Feb. 18 at a NextGov webinar, and will respond to a recommendation made by the Cyberspace Solarium Commission.