DoD-Industry Roundtable Provides Update on Forthcoming Cyber Policy
On June 5, 2019, the Aerospace Industries Association (AIA) hosted the Industry – DoD Cybersecurity Meeting. This gathering was co-hosted by other industry groups including PSC and NDIA. Hot topics outlined on the agenda included: DoD efforts in CDI determination and delivery to industry – presented by Melinda Reed, OUSD(R&E), and DoD Cybersecurity Maturity Model Certification (CMMC) – presented by Katie Arrington, OASD(A).
Melinda Reed’s presentation, titled Cybersecurity Challenges: Protecting DoD’s Unclassified Information, emphasized the importance of marking and identifying covered defense information (CDI). DFARS 252.204-7012 requires CDI to be protected. The presentation also noted that CDI includes unclassified controlled technical information (CTI).
The marking requirement for CDI includes:
- a dissemination limitation,
- a reason,
- a date, and
- the name of the controlling organization.
The presentation also provided insight as to where CDI marking responsibilities fall. The Program Office/Requiring Activity is required to: identify and mark CDI as government furnished information (GFI), direct the appropriate marking and dissemination requirements for CDI in the contract when CDI is being acquired, and verify the appropriate marking of CDI when provided to the contractor as GFI. The contractor must follow the terms of the contract, which include: following GFI marking and dissemination requirements, following directions in the contract to apply the marking and dissemination statements, and appropriately disseminating controlled unclassified information (CUI) and marking and dissemination requirements to their subcontractors. She noted that the material would not be marked as “unclassified,” but that classified material would be marked as such and that the level of classification would also be provided.
Following Melinda Reed’s presentation, Katie Arrington, the lead cybersecurity expert in the office of the Assistant Secretary of Defense for Acquisition, spoke on “Securing the Supply Chain.” This presentation heavily focused on the need to ramp up supply chain cybersecurity through the implementation of the Cybersecurity Maturity Model Certification (CMMC). Arrington started off with an explanation for prioritizing security by making it the foundation for the three pillars of defense acquisition: cost, schedule, and performance. She emphasized that these three pillars are only effective in a secure environment – this is why security must be the foundation, rather than a fourth pillar.
In her presentation she announced that the CMMC website would be up in two weeks. They are on track for public release of the CMMC in January of 2020. At that point, it will then be turned over to the Information Systems Audit and Control Association (ISACA) for training and certification of third-party assessors. She said that by June of 2020 the CMMC will be seen in requests for information (RFIs), and by September it will be in requests for proposals (RFPs).
Arrington also took this opportunity to announce an exciting 18-month timeline which will include: implementing 809 reforms, getting a new color of money for software, getting pathfinders underway, and a rewrite of DoD’s 5000 series instructions on defense acquisition system operations – condensing approximately 300 pages into just seven. She also announced plans to host Listening Sessions in 11 cities across the U.S. throughout July and August. The kick-off for these Listening Sessions will be at NDIA’s 31st annual Navy Gold Coast event in San Diego, California.