Critical Update: Why the Pentagon’s Cybersecurity Certification Program Inspires Hope and Fear

NextGOV, 19 May 2020: The implications of the Defense Department’s plan to subject its suppliers to independent cybersecurity audits, a program known as Cybersecurity Maturity Model Certification, apply far beyond the defense industrial base. Contractors of all shapes and sizes are in a tizzy. Before the end of the year, the Defense Department intends to finalize a rule change that will require any contractor it engages with to have obtained a certification of its cybersecurity practices from an approved external auditor. The new rule will end the department’s current practice of taking companies at their word on this. And Katie Arrington, chief information security officer for DOD’s acquisition office and the woman heading up the program, likes to remind those who might be running scared of a certain fact: There’s no escaping CMMC, its adoption or replication across the federal government and the broader U.S. economy is inevitable. “It’s not DOD, that’s one thing I want to make clear,” Arrington says. “This isn’t just DOD.” As ambitious as the CMMC seems—the program looks to eventually cover 300,000 contractors and subcontractors—it’s still just a small part of the equation in emerging U.S. cyber policy.