Katie Arrington, chief information security officer at the office of assistant secretary of defense for acquisition and a 2020 Wash100 Award winner, said the requirements and other elements of the Cybersecurity Maturity Model Certification program could still change as the Department of Defense (DoD) assesses the public comments submitted through the end of November, Nextgov reported Wednesday.
An interim CMMC final rule will take effect Dec. 1 and Arrington said a final rule could be released by February.
“The level three in the CMMC is the 110 controls in the NIST,” Arrington said. “Right now it has 20 additional controls added to it. We’re open to public comment period. So if any of you have any thoughts on those additional 20 controls, please, before November 30, you have to go in and register and submit those.”
Although she expects about 0.06 percent of contractors will need to comply with the requirements at the very top of the five-tier CMMC program, Arrington said she thinks those would be “the biggest conversation pieces that we'll be having over the next six months.”
“We have to be judicious with our budgets,” she added.
Arrington will serve as the keynote speaker at the Potomac Officers Club’s Fall 2020 CMMC Forum on Nov. 17th. To register for the Fall CMMC Forum on November 17th, as well as view upcoming events, visit Potomac Officers Club’s Event Page.
During the forum, you will hear from additional federal and industry leaders who will discuss the requirements and priorities of implementing the certification, including scoping of CMMC assessments, supply chain impacts and C3PAOs.