Don't count on an interim CMMC certification
By
Nick Wakeman
The Defense Department's "voice of CMMC" Katie Arrington sent one very clear message during a webcast Thursday -- there will be no provisional certifications. It's either go or no go for the new cyber standard that contractors must follow.
One message was made clear from the Defense Department’s Katie Arrington during a Washington Technology webcast on Thursday -- there is no gray area when it comes to the Cybersecurity Maturity Model Capability assessments contractors will have to go through.
Several questions came in during the session sponsored by Baker Tilly and Deltek asking if the government will allow interim certification or remediation periods, which would buy a company time to fix any deficiencies found during an audit.
Let’s say a company is trying to reach CMMC Level 3 -- which means they comply with NIST 800-171's some 110 security requirements -- and that business has the processes and policies in place to maintain that level of compliance over time.
But the third-party assessor finds deficiencies. The questioners wanted to know if they could get in essence a provisional CMMC Level 3 with a deadline for compliance. This would allow them to continue to win work that required Level 3 while they fixed the deficiencies.
Arrington, the chief information security officer for acquisition and sustainment and the main force driving CMMC implementation, made it clear there were no temporary certifications.
There is a mediation process if you disagree with your auditor's findings but there is no interim certification.
“It is go or no go,” she said.
Companies have been self-certifying that they comply with NIST 800-171 for several years, but Arrington said the Defense Department is now moving into a “trust by verify” era.
The stakes are too high, according to Arrington. Over $600 billion a year is lost through the theft of intellectual property, ransomware attacks and other cybersecurity disruptions, Arrington said.
“There is no more I’m going to get there next week,” she said. “It is now. We can’t wait. Our adversaries aren’t waiting.”
The government is being aggressive because the threat is growing. That’s why they published an interim CMMC rule on Sept. 29 and not a proposed rule. The interim rule becomes final on Nov. 30, but Arrington also urged industry to respond and submit questions and comments.
“We need you now more than ever,” Arrington said. “It’s about you, it’s about your IP, it’s about your employees and their personal information."