Trending
CMMC moves forward, but concerns persist
$960M is the five-year value of Leidos’ new blanket purchase agreement with Customs and Border Protection
The Defense Department’s Cybersecurity Maturity Model Certification program had to pivot a bit since its initial rollout earlier this year, partly due to the pandemic and social distancing measures, but it is moving forward, according to a top acquisition official.
The CMMC Accreditation Body had to reconfigure training from onsite to virtual, and the rulemaking process to revise the Defense Federal Acquisition Regulation Supplement hit some snags but is now underway, said Katie Arrington, DOD’s chief information security officer for acquisition, during a June webinar sponsored by PreVeil.
She added that the Accreditation Body began accepting registrations for training CMMC Third-Party Assessment Organizations in June. The first cadre of those cybersecurity assessors is expected to graduate from the program in late July and early August. Around the same time, DOD will begin including requirements for CMMC compliance in requests for information, and the requirements will be incorporated into requests for proposals this fall. However, Arrington said those contract awards likely won’t happen this year, and companies do not need CMMC certification until the time of a contract award.
Even as the CMMC program moves forward, some defense experts are expressing concerns about involving the private sector in cybersecurity oversight.
“You’re handing over to a third party whether people will be able to bid on contracts or not,” said Frank Kendall, former undersecretary of defense for acquisition, technology and logistics, during a recent meeting of the National Institute of Standards and Technology’s Information Security and Privacy Advisory Board. “That made me a little nervous because that tends to be an inherently governmental function, determining whether somebody is a responsible contractor.”
Kendall, currently a board member at Leidos and a senior fellow and adviser at the Center for American Progress and the Center for Strategic and International Studies, added that although he supported well-defined standards, he did not believe the government should outsource its cybersecurity oversight responsibilities with respect to contractors.
“If the government has a problem enforcing its contracts, maybe the government should do a better job enforcing its contracts,” he said. “The much more straightforward approach would be to build up the government’s capacity to inspect firms and take corrective action if they’re not meeting the standards.”
In a Forbes article published in April, Kendall wrote that litigation risks could increase if an independent assessor
tells a company it doesn’t meet the certification level needed for a contract. “When an assessor effectively tells a business that it is not allowed to bid on a government contract it may have been preparing to bid on for months if not years, people are going to get upset, very upset. The list of possible disputes is long — where and how will they be resolved? Who will absorb the litigation risk for the authorization board, the accredited organizations or the licensed assessors?”
The situation could result in less competition and more project delays, which could have a negative impact on the government’s performance, he added.
“What I’m afraid we’ll end up with is an illusion that we have more cybersecurity than we actually have because people will have certifications,” Kendall said.
— Lauren C. Williams
DOD taps Dave Spirk as chief data officer
Dave Spirk, who served as chief data officer at U.S. Special Operations Command for the past two years, is now CDO at the Defense Department.
“Effective data management is the cen-
tral component of the department’s Digital Modernization Strategy,”
CIO Dana Deasy said in a statement. “Dave brings extensive experience and
a thorough understanding
of how data empowers
joint, all-domain operations. I look forward to working with Dave as we create a strong data culture across the department.”
Spirk, who has experience working with intelligence agencies, will help DOD execute its modernization strategy. Part of that strategy includes collaborating more closely with industry
and non-DOD mission partners to better focus IT investments to take advantage of the department’s massive — but decentralized — troves of data.
12 July 2020 FCW.COM
Dave Spirk
The CDO position moved to the CIO’s office from the Office of the Chief Management Officer because of requirements in the 2020 National Defense Authorization Act. Deasy outlined plans at the beginning of the year to set up a small, 10-person office to support hire. One of that office’s first
the new
priorities will be aligning DOD policies, standards and implementation to support all-domain operations against “a capable adversary.”
A DOD spokesperson told FCW that the department’s data strategy will likely be issued later this summer.
— Derek B. Johnson