Francis: The Cybersecurity Maturity Model Certification Accreditation Body has a new course in the works to train independent assessors to evaluate compliance with CMMC standards. The first phase of the CMMC requirements should be in place in the next six months. Katie Arrington is the Chief Information Security Officer for Acquisition at the Department of Defense.
Katie, welcome back, thanks for coming back on the program. What is happening with the Accreditation Body and when can people expect to understand what it is that the auditors are going to come to their companies and look at and how they’re going to do it?
Katie Arrington: So, thank you for having me, I always appreciate the opportunity to talk to you. So the Accreditation Body did what they said they were going to be doing, which is opened registration for three CPAOs, to start the training classes. The assessment guides have been created by the Department of Defense that have been transmitted to the AB, and they are developing the courses to reflect those. So we are rocking and rolling and moving out, our intent as we’ve stated that as the rule change goes into effect, we will have auditors coming out of their first course at the AB, so that we can work through whatever changes need to be made in the model after the rule change, and it be adjusting but we are rocking right in that timeframe. So you know, Fall 2020.
Francis: One of the things that the auditors will be looking at no doubt as they start to take a look under the hood at these companies is where the equipment is coming from. A lot of vendors are saying we need some time to make sure we have gotten, to be precise, to get any Huawei equipment out of our supply chain, out of our compliance chains. That deadline is approaching pretty quickly. What’s happening with that deadline – will there be any flexibility for these companies, Katie?
Katie: I do not believe so. I mean, the deadline is August 13th. New contract awards coming out. The companies need to attest that they don’t have the products within their network. We at the Department of Defense fully support the intent of the legislation. You know, we talk about cyber security, and i’m a big proponent for, it really needs to be now, and we need to pay attention. Our adversaries are actively campaigning against us. So we in the Department are moving forward with it. There are multiple phone calls every day to make sure we are doing our best to prepare ourselves internally on how to receive that information from the companies and document it so we are in compliance with the law. August 13th.
Francis: What happens if, for companies that are on contract that find that they have issues in that area?
Katie: Great question, and thank you for that. So the new rule does not go into current contracts. It only applies to new contracts. So, if you have a contract right now that has the product in it and in your network, you definitely should have been working to remove it a while ago. But you are not going to be held to attest for the government until you come for a new contract award or they move to extend the option here.
Francis: What about cases where there is operations going on in countries where Huawei pretty much is everything there? How does the Department intend to deal with those kinds of circumstances, Katie?
Katie: It is going to be on a case-by-case basis. As we work through the potential of a waiver, that needs to be based on the contract, and that needs to go through a pretty rigorous process.
If a company was to request a waiver, they would need to lay down where the product was in their environment, and they would need to document clearly the phase-out of that product to apply for a waiver. And that is in the legislation right now. But waivers are something that we really need to think about, and making sure we stay on if a company is able to achieve a waiver, how do we ensure that we get that product out of the system? But we should use this as, you know, I always try to look at, everything happens for a reason in time, and we really need to be aggressive about making sure our country, our businesses, our freedom is protected, so we really need to get out on this.
Francis: It sounds like you’re going to want pretty specific visibility into where a piece of equipment is and what’s going over that piece of equipment before considering a waiver.
Katie: Absolutely, and especially when you are talking about our critical technologies, and the things that we as the United States value in our national security. We absolutely in the DoD are fully intent to staying with the letter of the law, and we will work with industry as much as possible, but this has been a long time coming. We had to do it last year.
Francis: One of the first times you and I talked about CMMC on television, Katie, you said that you hoped other organizations in government would adopt these standards – organizations on the civilian side. GSA did that this week, saying in the STARS III RFP they will be looking at CMMC standards. What was or is your level of interaction with them about educating them about what you are doing, or what your expectations are, or evangelizing on behalf of the standards, or whatever? How are you helping other organizations across government understand what you’re doing?
Katie: Well, GSA of course works in partnership with the Department of defense, and I didn’t influence that, but I definitely evangelized it, without a doubt. But it’s the strong leaders over at GSA that made that decision to say, we have the right, in future solicitations, task orders, to request a CMMC. I think the bigger picture is, we were working through and aware of what was going on with the National Cyber Solarium Commission. We clearly saw what they were doing. They, in Section 4 of that document, referenced the CMMC, and they reference a national cyber certification program. And, more importantly, in that document, in that report, which was amazing, was that they want to amend Sarbanes-Oxley to amend cybersecurity, require reporting and qualifications in the SEC filing. So we definitely have a change happening; I’m a piece of it; there’s a larger movement to secure this nation, to secure businesses from the adversarial threats. So definitely applaud GSA leaning in, I think that was remarkable and it’s great to see when good people have a unified mission trying to do the right thing by the taxpayer and by the US government.
Francis: Katie Arrington, thanks very much as always, great to have you on the program.
Katie: Thank you so much – have a wonderful day.