SAN FRANCISCO — The Department of Defense official leading the overhaul of cybersecurity requirements for the Department of Defense contractors sees the model as being in a “constant state of evolution” over the next few years.

Katie Arrington, the chief information security officer for the Office of the Under Secretary of Defense for Acquisition and czar for the new Cybersecurity Maturity Model Certification, told Fifth Domain in an interview at the RSA Conference that work on CMMC will be a “perpetual thing.”

After the CMMC requirements are written into contracts around October, Arrington said she wants to “have some data to say ‘okay, these controls — are they really worth the return on investment? Do we need to tweak the model?’”

CMMC 1.0 was released at the end of January.

Right now, Arrington said, she is working with staff to create the audit training. One of the challenges in building the training, like creating CMMC itself, is ensuring that it is simple and easy to understand.

Beyond CMMC, Arrington said that the “next big thing” she’s going to work on is supply chain illumination tools and adding continuous monitoring into "... those most vulnerable in our supply chain and the ones that are working on the most critical technologies,” she said. “I need to know how they’re doing acting day-to-day, how their supply chain looks.”

Arrington also told Fifth Domain that she expects CMMC to be adopted internationally in 2020 and 2021.

“Our Five Eyes partners are like, ‘hey, we’re right here with you,’” she said.

With the federal government facing constantly evolving attacks on its supply chain, Arrington said that CMMC needs to be able to adjust to new challenges.

“If it becomes a checklist, we have all failed,” she said. “It needs to become critical thinking about security and understanding that the threat today will not be the same threat that’s here a year or two years from now. And that we have to be constantly looking at how do we tweak? How do we bob? How do we weave?”

Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.

More In Industry