DOD eyes CMMC-FedRAMP reciprocity by end of FY 2021

The Defense Department is working with the General Services Administration to work out reciprocity between the Cybersecurity Maturity Model Certification (CMMC) program and the Federal Risk and Authorization Management Program (FedRAMP).

Stacy Bostjanick, CMMC's director at the DOD’s Office of the Undersecretary of Defense for Acquisition and Sustainment, said a team is working to align the requirements, methodologies, and levels of the CMMC and FedRAMP, and that an answer could come by the end of the 2021 fiscal year.

One of the key pledges DOD made for CMMC was building on work contractors have already done to meet security requirements for programs like FedRAMP and the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

One of the key differences to be ironed out is that "FedRAMP allows for [plans of action and milestones] and CMMC does not," Bostjanick said Feb. 10 during an AFCEA NOVA event on IT and the intelligence community. With CMMC, "you've either got [authorization] or you don't," she said.

DOD has already completed its reciprocity assessment with DIBCAC and performed provisional audits, Bostjanick said, and a guidance memo is awaiting signature. FedRAMP guidance should follow suit by the end of the fiscal year.

The call for reciprocity has been a key sticking point for contractors that have already devoted significant funds for FedRAMP authorization and would like to leverage that investment to comply with CMMC, which is expected to be included in all Defense Department contracts by 2025.

The call for increased defense industrial base security has heightened in the wake of the widespread, ongoing supply chain campaign that leveraged weaknesses in multiple technology vendors, including SolarWinds.

Bostjanick said that while CMMC, if fully implemented, wouldn't necessarily have prevented the attack, it would've allowed companies to be more aware.

"Everything that we've put in place is not going to 100% protect you against advanced persistent threats. It most probably, up to Level 3, would not have protected you against SolarWinds; it may have given you some indication that it was there," she said.

But the goal, she said, is for CMMC to become irrelevant as elevated cybersecurity practices become the norm.

"CMMC, really, my hope and prayer is that one day we don't even need it anymore because companies all become so aware and they have a culture of security and they start thinking in advance of these threats," Bostjanick said.

This article was first posted to FCW, a sibling site to Defense Systems.

About the Author

Lauren C. Williams is senior editor for FCW and Defense Systems, covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at [email protected], or follow her on Twitter @lalaurenista.

Click here for previous articles by Wiliams.