The Pentagon official overseeing the Defense Department's new cybersecurity certification program thinks most companies in DOD's supply chain will be able to maintain the required cyber credentials for $1,000 per year or less.
Katie Arrington, chief information security officer within the Pentagon's acquisition and sustainment directorate, said DOD has priced out how much it will cost contractors to implement the new Cybersecurity Maturity Model Certification. DOD plans to begin including CMMC in contracts this fall.
The CMMC program includes five levels of certification, ranging from "basic cyber hygiene" at level one to advanced security practices at level five. The certification program combines several existing cybersecurity standards, most notably the National Institute for Standards and Technology Special Publication 800-171 "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations."
Under the program, companies will be required to obtain a CMMC assessment from a third-party auditing firm and then a subsequent certification from the newly established CMMC accreditation body before they can win defense contracts. Certifications will last for three years, according to DOD.
During a webinar today hosted by Bloomberg Government, Arrington said most companies in DOD's supply chain -- approximately 285,000 -- will only require level one certification. She said DOD estimates it should cost no more than $3,000 to implement the level one security practices and obtain a certification.
"So $3,000 once every three years is less than it costs to have a business license per quarter in most places," Arrington said. "We really have reigned in the pricing."
Furthermore, DOD is allowing contractors to include the costs of certification in the rates they charge the department. She said most companies will build CMMC costs into their labor rates, but DOD officials have "worked a bunch of different ways to make sure companies can recoup it."
Arrington said the Pentagon is willing to pay more to ensure contractors are protecting sensitive government information, as she highlighted an oft-referenced number that U.S. companies lose $600 billion per year due to cyber theft.
"We understand that there's going to be a cost to this, but when we're losing $600 billion a year, if I have to put $1 billion in to make sure that we protect ourselves, it's a huge return on investment," she said. "And more importantly, investing in ensuring our supply chain remains whole."
However, about 15,000 companies in DOD's supply chain currently manage controlled unclassified information and will require CMMC level three or higher, according to Arrington. She did not address the estimated costs for the higher levels of the program.
Meanwhile, Arrington clarified the role of prime contractors in the CMMC program. She said primes and subcontractors should ensure the companies in the supply chain are certified at the CMMC levels required in requests for proposals, but prime contractors do not have the ability to directly certify their own subcontractors. Instead, the accreditation body is responsible for training and licensing auditors, as well as issuing certifications.
"The primes can, if they so desire, go and help their small businesses within their supply chain get certification, but we didn't want to give the authority to the primes to authorize their subs, because we felt that was not the [right] methodology," Arrington said. "Every company has to go to the CMMC Accreditation Body."
As she has said previously, Arrington confirmed today the CMMC program won't be paused despite the COVID-19 outbreak. But she said there may be a "two-, three-week slip" in doing the first audits for the initial CMMC pathfinder programs as the Pentagon and the accreditation body work out how to both train auditors and ensure they stay safe during in-person audits.
"But a two-week push is not going to have a massive impact," she said.
The Pentagon plans to begin including CMMC certifications in some requests for information this June and then in requests for proposals this October. The CMMC requirements show up in just 10 contracts this year, officials have said.
Arrington said DOD will slowly integrate the requirements into programs, and officials will work with individual programs to ensure contractors are keeping up.
"We're not going to let it slow down acquisition," she said. "Acquisition is already slow enough."
DOD aims to have CMMC requirements in half of all department contracts through 2022, with the certification showing up in every defense contract by the end of 2025, according to Arrington.
She also clarified that the CMMC requirements will be included in other transaction agreements, grants, and Small Business Innovation Research and Small Business Technology Transfer programs.
"We are going to be imparting this on the whole of DOD," Arrington said.