Primes, subs won’t face the same CMMC security requirements on all contracts

CMMC requirements will not be one-size-fits-all for defense contracts, Katie Arrington said. Different parts of the contract will indicate different levels of security needed.
Katie Arrington
Katie Arrington, with Kevin Fahey, speaks during a press briefing at the Pentagon, Washington, D.C., Jan. 31, 2020. (DOD / Navy Petty Officer 2nd Class James K. Lee)

The Department of Defense‘s soon-to-be rolled out Cybersecurity Maturity Model Certification (CMMC) won’t require all contractors on a contract to meet the same level of requirements, depending on the type of information they will be handling, Katie Arrington, CISO for acquisition and sustainment in the DOD.

For small companies, this means they won’t need to obtain the more-costly higher level CMMC certifications to be included on contracts that require the prime to meet that requirement.

The department’s new plan to secure the industrial base from cyberattacks, CMMC will require all DOD contractors to go through third-party cybersecurity assessments and receive accreditation for the level of sensitive defense information they are secured to handle — from level one, the department’s least sensitive data, to level five, the most sensitive controlled information. All levels will be certified by independent assessors who will conduct in-person checks.

The DOD will clarify in requests for information notices which parts of a contract will require different certification levels, Arrington said Friday at a Washington Technology event.


“One size doesn’t fit all for security,” she said, adding that the government is trying to be cognizant not to squeeze out contractors from the defense industry by requiring too many expensive security measures.

Arrington and other officials working on CMMC have previously stated how the vast majority of the more than 300,000 defense contractors will only need level one certification. But big contractors working on highly sensitive material will need levels four or five to be able to continue handling sensitive information.

“The subs, by what work they are doing, will need to meet a level one or level two,” Arrington said.

CMMC level two certifications will be rare, she clarified. Companies on the lower end of the scale will generally either be a level one or level three, with level two acting as a bridge.

The process for CMMC certification hasn’t officially started yet. First, the CMMC Accreditation Board, an independent non-profit organization, must begin training potential assessors, a process expected to start in March.


Chair of CMMC’s communications committee, Mark Berman, said it is unclear if the novel coronavirus pandemic will impact CMMC roll out.”We are watching the situation closely and coordinating with DoD to determine potential ramifications,” Berman told FedScoop in a statement.

Once assessors have been trained and accredited to become CMMC certifiers, they will need to physically verify every DOD contractor’s cyber-compliance to the CMMC standards. Requirements for certification will start to appear in contracts this year, and continue to roll out over the next five years.

“We are giving business opportunities (and) plenty of runway to get there,” Arrington said.

Latest Podcasts