Pentagon makes it clear, the CMMC is going forward whether contractors are ready or not
On 7 November 2019 the Special Assistant for Cybersecurity in the Office of the Under Secretary of Defense for Acquisition & Sustainment unleashed a dose of honesty at a defense symposium in Washington, DC. Special Assistant Katie Arrington stated the DoD is “moving out on this” and that cyber security standards will be implemented in every DoD contract. Arrington highlighted the CMMC and its mission to better secure the DoD supply chain. She also referenced the estimated $600 billion lost each year to proprietary theft, mostly deriving from the likes of Chinese nation state actors.
Arrington made several point-blank comments, including a shot towards China and how they pillaged the U.S. government’s F-35 program. Arrington was quoted saying, "Our adversaries, namely China, in building ... I won't say the name of it, but there is a plane in China that looks suspiciously like the F-35."
Some other key points highlighted by Arrington:
On how quickly contractors will have to become certified: "We are not turning on a light switch in 2020. We are going to start this process in June 2020, and we are going to start rolling it out in very specific contracts." Arrington also noted that every company in the supply chain will need to be certified, and that a certification would be good for three years.
Arrington also provided a blunt reminder to contractors who may be otherwise unprepared: "You're either certified to do the work, or you cannot bid" Arrington was quoted.
Regarding the tiered certification levels, Arrington made it clear that 90% of the 300,000 contractors would only require a CMMC 1 certification, which the easiest to achieve. Roughly 12,000 would need to meet CMMC 3 requirements, while a much smaller number will require CMMC 4 or 5 certification for those involving highly classified projects.
Arrington made a point to highlight the kickback she was receiving from smaller business who are concerned with their ability to become certified. Arrington provided a no-nonsense retort to those businesses, by stating, "I am not understanding what the problem is" and that “if you are not doing basic cyber hygiene, you might want to reconsider why you are in business.”
Arrington also shared a warning with contractors who falsely claim they are up to par, while DoD inquiries have proven otherwise: "Do you think China is sitting in the back, saying, 'I'll come back when you're ready? They are walking through those like Swiss cheese."