Posted by Stephen Palamara, TCC Director of Business Development

This is a follow up to my earlier blog post that discussed that the Department of Defense recently announced that it will soon unveil a new cybersecurity standard and certification for defense contractors, called the “Cybersecurity Maturity Model Certification” (CMMC).

At the 2019 Federal Acquisition Conference Presented by PSC on June 13, 2019, Katie Arrington, Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber, Office of the Under Secretary of Acquisition and Sustainment, gave a presentation titled “Securing the Supply Chain”. The full PowerPoint presentation can be viewed here

To set the tone for the presentation, Ms. Arrington showed a slide with the following quote from The Honorable Kevin Fahey, Assistant Secretary of Defense for Acquisition: “We need risk management solutions to assess, measure, and mitigate risk in real-time across multi-tier partner and supplier networks to achieve our goal of cost, schedule and performance, as they are only effective in a secure environment.”

In her presentation, Ms. Arrington discussed the development of the CMMC and provided more information on the model. The following are some of the discussion points:

  • “The DoD is working with John Hopkins University Applied Physics Laboratory (APL) and Carnegie Mellon University Software Engineering Institute (SEI) to review and combine various cybersecurity standards into one unified standard for cybersecurity.”
  • “The CMMC levels will range from basic hygiene to ‘State-of-the-Art’ and will also capture both security control and the institutionalization of processes that enhance cybersecurity for DIB companies.”
  • “The required CMMC level (notionally between 1-5) for a specific contract will be contained in the RFP sections L & M, and will be a ‘go/no-go decision’.”
  • “The CMMC will include a center for cybersecurity education and training.”
  • “The CMMC will include the development and deployment of a tool that 3rd party cybersecurity certifiers will use to conduct audits, collect metrics, and inform risk mitigation for the entire supply chain.”

There will be twelve collaborative Industry Days/Listening Sessions in locations across the country in July and August 2019 to provide a venue for stakeholders to obtain information and voice concerns. It is anticipated that September 2020 will be the target rollout date for the CMMC 1-5 requirement to appear on RFP’s.

In another blog post, we will take a closer look at the notional CMMC model components, discussed by Ms. Arrington at the conference.

To find out more about TCC’s Security Services please visit our website


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s