The first group of auditors for Cybersecurity Maturity Model Certification should finish training by the end of the month, as stated in National Defense. Katie Arrington, Chief Information Security Officer for Acquisition at the Department of Defense, answered questions about CMMC on “Government Matters” Sunday.
About 300,000 companies that make up the Defense Industrial Base will have to comply with CMMC eventually. According to Arrington, the number of auditors who will eventually graduate is based on the number of contractors that need certification, and it will take about five years to certify these auditors.
The first class of 25 was “provisional,” Arrington stated, to see what changes needed to be made to the curriculum, assessment guide and tests. Every few weeks they will start a new session. “I would say for the DoD component piece, we easily need a few thousand of the auditors,” said Arrington.
There are a few things companies can do to prepare to be audited, including going over pre-audit interview questions and making sure to have people from cybersecurity or IT ready to have a conversation. “[The auditors] are not there to put you out of business,” Arrington explained. “Our whole goal is to make sure you’re as secure as possible so you’re an enduring capability that we can rely upon.”
Arrington also addressed the issue of reciprocity, stating, “we are all in – we don’t want to duplicate good work.” Companies will be able to get some credit for progress they have made in programs like the Federal Risk and Authorization Management Program (FedRAMP).
When asked if companies will ever be able to submit those certifications in place of having an auditor actually come to the company, Arrington replied, “no, the auditor will always have to make an official visit to the company,” because part of the value-add of CMMC is that “it buys down substantially the risk of foreign ownership in our supply chain, and shell companies.”
There has been some concern about whether the rule of CMMC implementation is an interim rule or a proposed rule. Arrington does not think that should matter. “We’ve been saying very clearly what the model will look like, what the requirements will be, how it will be rolled out onto contracts,” she said, and there will be a public comment period. “When it comes to national security … the faster the better that we get this out there,” she stated.
In response to recent headlines about changes on the CMMC board, Arrington said, “what I would say to … the media, journalists and the public, we owe a debt of gratitude … to everyone – past, current and future – on the board. These are people who have been volunteering easily 60 hours a week since November of last year.” She continued, “I find it disheartening that volunteerism and working towards the mission, that people would take it and try and do something negative. That’s absolutely not what this was about at all.”