Why is CMMC important for DoD contractors?

CMMC helps ensure that DoD contractors implement consistent cybersecurity controls, reduce risks to federal information, and maintain eligibility for new DoD contracts.

How does NIST SP 800-171 relate to CMMC?

NIST SP 800-171 forms the foundation of CMMC requirements. Contractors must meet its security controls to protect CUI and prepare for CMMC assessments.

What best practices can help contractors maintain DoD compliance?

Key best practices include implementing strong access controls, continuous monitoring, maintaining documentation, performing internal audits, and applying the 'trust and verify' approach recommended by DoD leadership.

Who is Katherine Arrington and why is her guidance relevant?

Katherine Arrington is the former DoD CISO for Acquisition and Sustainment, known for leading the CMMC initiative. Her guidance provides valuable insight into compliance expectations and cybersecurity priorities for defense contractors.

Q&A: The DoD’s Acquisition and Sustainment CISO Talks Compliance Best Practices

Q: What is the Cybersecurity Maturity Model Certification (CMMC)?

CMMC is the Department of Defense's cybersecurity framework that requires contractors to meet specific security practices and maturity levels to protect Controlled Unclassified Information (CUI).

RSI Security

4 months ago

DoD contractors and vendors must constantly stay one step ahead in the ever-changing compliance landscape. The DoD, along with other U.S. federal agencies, regularly introduces new frameworks and requirements to protect sensitive government and military information.

For vendors and contractors looking to work with the DoD or U.S. military, compliance isn’t optional, it’s a critical business necessity. Navigating these requirements can be complex, but understanding them is key to maintaining eligibility and operational security.

We recently spoke with Katherine Arrington, the DoD’s Chief Information Security Officer (CISO) for Acquisition and Sustainment (A&S), for insights on DoD contractor compliance. Katherine also serves as a former House Representative of South Carolina’s 94th Congressional District and previously held the position of DoD-wide CISO.

In our conversation, she shared her perspective on new regulatory frameworks like the Cybersecurity Maturity Model Certification (CMMC) the evolving compliance landscape, and practical steps DoD contractors can take to prepare themselves.

Q: What Cybersecurity and Compliance Challenges Do DoD Contractors Face Today?

Katherine Arrington: DoD contractors face growing pressure to strengthen the cybersecurity of their unclassified networks, which store, process, or transmit sensitive government information. The Office of the Undersecretary of Defense (OUSD), the Under Secretary of Defense for Acquisition and Sustainment (A&S), the DoD CIO, and other DoD stakeholders are working closely with the Defense Industrial Base (DIB) sector to improve these networks’ security posture.

Several public reports and articles have highlighted common gaps in contractors’ adherence to NIST SP 800-171 security requirements under DFARS clause 252.204-7012. These gaps leave DoD contractors vulnerable to cyber threats and increase the risk of unauthorized access or exfiltration of Controlled Unclassified Information (CUI).

Q: What Internal Cybersecurity Practices Should DoD Contractors Focus On?

KA: The Department of Defense emphasizes that DoD contractors must fully implement security requirements as part of a risk-based cybersecurity framework. To enforce this, the DoD plans to implement the Cybersecurity Maturity Model Certification (CMMC) alongside the DoD Standard Assessment Methodology to ensure contractors adequately protect Controlled Unclassified Information (CUI).

After the interim DFARS rule took effect on November 30, 2020, the DoD began a phased rollout of CMMC, requiring contractors to achieve a specific CMMC level as a condition for contract awards. The framework also mandates that prime contractors flow CMMC certification requirements down to their entire supply chain, ensuring all vendors comply.

CMMC Level 3 incorporates the 110 security requirements from NIST SP 800-171, plus an additional 20 cybersecurity practices and 3 maturity processes per domain. Contractors who have already implemented the NIST SP 800-171 requirements are well-positioned to achieve CMMC Level 3 certification.

Q: How Will Cybersecurity Compliance for DoD Contractors Evolve in the Coming Years?

KA: The Department of Defense plans a phased rollout of the Cybersecurity Maturity Model Certification (CMMC) over a five-year period. This approach will help DoD contractors smoothly transition from the current “trust” model to the new “trust and verify” paradigm, ensuring that the Defense Industrial Base (DIB) sector and the DoD supply chain meet the required CMMC levels.

The CMMC framework aligns cybersecurity practices and maturity processes with the sensitivity of unclassified information and the associated risks. The Department acknowledges that cybersecurity is not a “one size fits all” solution, and contractors must tailor their internal practices to meet the level of protection required.

Schedule a Free Consultation!

Q: Do ITAR and CMMC Frameworks Create Unique Challenges for DoD Contractors?

KA: DoD contractors should understand that CMMC Level 1 corresponds to the 15 basic safeguarding requirements outlined in FAR clause 52.204-21, which map to 17 security requirements in NIST SP 800-171 under DFARS clause 252.204-7012. Essentially, CMMC adds a verification component to existing federal regulations rather than introducing entirely new requirements.

The Department anticipates that most CMMC requirements will be at Level 1, making it cost-effective for small businesses, which make up the majority of the Defense Industrial Base (DIB) contractors.

Q: What Advice Do DoD Contractors Have for Ensuring Compliance with Regulatory Frameworks?

KA: I recommend that DoD contractors review the interim rule, “Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements” (DFARS Case 2019-D041), available on the Federal Register, as well as the CMMC Model on the OUSD (A&S) public website.

The Department will continue collaborating with the Defense Industrial Base (DIB) sector, industry associations, the National Defense Information Sharing and Analysis Center (NDISAC), the DIB Sector Coordinating Council (SCC) Cyber Assist Task Force, and Procurement Technical Assistance Centers (PTACs). These efforts ensure that up-to-date information and guidance on CMMC compliance remain accessible to all .

Q: How Can DoD Contractors Maintain Preferred Vendor Status and Streamline Procurement?

KA: For DoD contractors seeking CMMC Level 1 certification, I recommend reviewing the basic safeguarding requirements outlined in FAR clause 52.204-21 and the 17 associated security requirements in NIST SP 800-171 and NIST SP 800-171A. The Office of the Undersecretary of Defense for Acquisition and Sustainment (OUSD A&S) will release the draft CMMC Level 1 assessment guide later this fall.

For DoD contractors targeting CMMC Level 3 certification, I recommend the following steps:

Review current system security plans and associated plans of action in relation to NIST SP 800-171 per DFARS clause 252.204-7012.
Take action to close identified security gaps.
Review the additional 20 practices and 3 maturity processes required for CMMC Level 3.
Develop a plan to implement these additional requirements.
Implement the additional requirements.
Conduct a self-assessment.

OUSD A&S will also release the draft CMMC Level 3 assessment guide later this fall.

Closing Thoughts

New frameworks like CMMC are set to be a game-changer for DoD contractors navigating compliance over the coming years. Katherine Arrington advises that contractors familiarize themselves with CMMC in depth and apply best practices, such as the “trust and verify” approach, to maintain compliance and ensure a smooth, productive business relationship with the DoD.