DOD’s First Agreement with Accreditation Body on Contractor Cybersecurity Nears End
Lead official grapples with the challenge of resourcing a federally funded research and development center to act as a gateway for the Pentagon’s certification program.
The Defense Department is on the cusp of signing a new agreement with the volunteer organization that has been training auditors for its Cybersecurity Maturity Model Certification program, according to DOD’s Katie Arrington, who is leading its implementation.
“They have come light years. We have done two provisional training classes—they're actually in the middle of the third,” Arrington said during a webinar Tuesday hosted by NeoSystems LLC. “We in the Department of Defense, are, I think today we finalize the statement of work with them. We had a [memorandum of understanding] previously. We've been working on a SOW with the no-cost contract to the AB for five years plus.”
The CMMC, as described in an interim rule now up for comment, was designed to replace the current system of DOD taking contractors at their word regarding cybersecurity practices with one that would require third-party verification that such practices are up to snuff.
In March, the DOD signed an MOU with the volunteer group, which is called the CMMC Accreditation Body, or AB. Under that agreement, the AB was responsible for establishing a “CMMC standard” that would guide its certification of companies seeking to do work with the DOD, based on the department’s tiered model of cybersecurity controls.
“The DoD has provided a cutting edge CMMC model to the AB. The Standards Committee must decide the thresholds for validating that an organization has met the standard for each control,” reads a description on the AB’s website of the relationship between the standard and the model and how the group is approaching the work. “[The Standards Committee] will also look forward beyond today's standard to make recommendations to DoD for future inclusion in the CMMC model.”
But the extent to which the AB continues to be in charge of the certification process could be changing under the new statement of work. A draft of the SOW seen by Nextgov suggests it will supersede the MOU.
“In the statement of work…[The AB has] to go and spin off portions of it to [International Organization for Standardization] certified [bodies],” Arrington said. “The three bodies that need to basically be spun out are all ISO-certified accreditation bodies or training companies that are internationally certified and validated. We needed the AB to be able to spin off and create competition to ensure that we were able to keep the competitive nature of the marketplace itself viable for an enduring capability. So it's, it's not that they're not a part of it. They're at the core of it.”
Arrington also said she would ideally and ultimately like a federally funded research and development center, or FFRDC, to assume certification duties akin to those assigned to the AB under the MOU. But that would require Congressional appropriations, and that’s not easy to get, she said.
She said when she was first conceiving how the program would be implemented, “I automatically went to 'Oh, wow, in the end game, like the CMMC AB, we could fund one of the FFRDCs to create basically the gateway for products.' They would be able to be the, you know, the [Underwriters Laboratory] or the Good Housekeeping seal for CMMC.”
The AB and DOD have come under fire following an effort to fund the AB’s operations with company sponsorships. The endeavor was described as “pay to play” but the AB said the companies would only get marketing benefits in return for their contributions. Arrington denounced the scheme but critics said the DOD also hasn’t put enough resources behind making the program workable.
Arrington said early on she started trying to figure out how to develop legislation to be able to get funding to an established FFRDC that would help implement CMMC.
“That's where I wanted to go. That's where I believe it needs to go,” she said, “but [FFRDCs are] very expensive.”
RELATED PODCAST
NEXT STORY: New Army IT chief mulls risk management reform