Enable breadcrumbs token at /includes/pageheader.html.twig

CMMC Measures Should Be Applied Early, Says Pentagon Official

The defense community should not wait for CMMC formalization to practice its security.

“The time is now” for companies to begin implementation of Cybersecurity Maturity Model Certification (CMMC) measures, said the chief information security officer for defense acquisition. Katie Arrington, speaking at AFCEA’s Virtual CMMC Symposium, told participants that many CMMC tenets constitute good practices that can—and should—be implemented even before the CMMC is formalized.

“Let’s not wait until it’s required; let’s do it now,” Arrington said. “The time is now.” She added that the country loses $600 billion a year to adversaries, and practicing basic cyber hygiene methods that will be part of CMMC level 1 standards will help companies immensely.

Many of the aspects of the CMMC are derived from existing security standards that contractors and defense acquisition authorities already must follow, such as NIST 800-171, she pointed out. “If you have DFAR clause 252.204.7012, that is linked to NIST 800-171 standard. You are doing the 110 controls,” she said.

Arrington also emphasized that 85 percent of the companies watching the presentation will only have to achieve the CMMC level 1. The key to that level is effective password management, which can be achieved by following proper cyber hygiene. Effective security will be easily achievable and relatively inexpensive.

“The CMMC is to lower the barrier to entry,” she declared. “We are making security clearly an acceptable cost.

“We don’t want to lose anybody within our defense industrial base ecosystem,” she emphasized. “We want you to be safe.”