Transcript

Press Briefing by Under Secretary of Defense for Acquisition & Sustainment Ellen M. Lord, Assistant Secretary of Defense for Acquisition Kevin Fahey, and Chief Information Security Officer for Acquisition Katie Arrington

Jan. 31, 2020
Under Secretary of Defense for Acquisition and Sustainment Ellen M. Lord; Assistant Secretary of Defense for Acquisition Kevin Fahey; Chief Information Security Officer for Acquisition Katie Arrington

STAFF:  Good morning, ladies and gentlemen.  Thanks for joining us here today.  This morning, Under Secretary of Defense for Acquisition and Sustainment Ellen Lord, Assistant Secretary of Defense for Acquisition, Mr. Kevin Fahey and Ms. Katie Arrington, chief information security officer for acquisition, are here to introduce the department's Cybersecurity Maturity Model Certification.

You'll see we have given you several handouts, one on the CMMC and then an updated Adaptive Acquisition Framework brochure.  Ms. Lord and Ms. Arrington will have opening statements, and then we'll take your questions.  We do have a hard stop at 8:40, so please be respectful with your questions so everyone will have a chance.

Ma'am, over to you.

UNDER SECRETARY OF DEFENSE ELLEN M. LORD:  Thank you, Mike, and good morning, ladies and gentlemen.  Today I am very proud to announce that the department is releasing the first Cybersecurity Maturity Model Certification, or CMMC, version 1.0.

I'm joined by Assistant Secretary of Defense for Acquisition Kevin Fahey and Ms. Katie Arrington, both who have played key roles on taking CMMC from a vision to a reality.  While he won't have an opening statement, I asked Kevin to be here because cybersecurity is such an important component of the Adaptive Acquisition Framework, and Katie has been on point for us for CMMC, so she will provide important insight and context, while also dispelling myths and providing facts.

There are three key takeaways I want everyone to leave here with today.  First, cybersecurity risks threaten the defense industry and the national security of both the U.S. government and our allies and partners.  Second, it was extremely important to me that we communicate extensively with industry, academia, military services, the Hill and the public, to hear their concerns and suggestions on the CMMC model.  Last, today represents an important milestone, but we still have a lot of work to do.  We will continue to work very closely with industry associations and the Hill so everyone has a clear understanding of the process, feedback loops and the way ahead.

So a little bit more depth on the three key points.

First, cybersecurity is a very serious threat for the defense industry, the Department of Defense and all of government.  Both our National Security Strategy and National Defense Strategy rightly underscore the importance of defending against cyber attacks, which offer adversaries low-cost and deniable opportunities to seriously damage or disrupt critical infrastructure and capability.  $600 billion dollars, or about 1% of global gross domestic product, or GDP, each year is lost through cyber theft.  Adversaries know that in today's great power competition environment, information and technology are both key cornerstones and -- and attacking a sub-tier supplier is far more appealing than a prime.

Second, my number one priority throughout the CMMC process has been to over-communicate, get feedback, and then communicate some more.  It was critically important to me that members and staffers on the Hill, academia and the defense industry were all involved throughout CMMC development.  We needed to consistently and clearly communicate the desired end state to build a cyber-safe, cyber-secure and cyber-resilient defense industrial base.  We have worked very closely with industry associations.  We've partnered with Johns Hopkins' Applied Physics Lab, as well as Carnegie Mellon University Software Engineering Institute on the best model possible.

To date, we have used public speaking engagements, social media, news releases and a frequently-asked questions page on the CMMC website to share information and updates.  This approach provided multiple program drafts for comments, and since the first draft publication in September 2019, our office has received over 2,000 comments from individuals, defense industrial base partners and industry associations.  Katie can talk more about the thousands of public comments we received, and how we looked closely to ensure that we understood any unintended consequences.

I have personally briefed and listen to the defense industry trade associations, including AIA, NDIA and PSC, as well as members of academia.  Throughout the process, my team consistently met with staffers to provide updates and answer questions.  Earlier this week I personally met with Hill staffers to answer questions and get feedback.  I believe it is absolutely critical to be crystal clear as to what expectations for cybersecurity are, what our metrics are and how we will audit for those expectations.

CMMC is a critical element of DOD's overall cybersecurity implementation.  One of my biggest concerns is implementing CMMC for small and medium businesses, because that's where a large part innovation comes from.  We need small and medium businesses in our defense industrial base, and we need to retain them.  We know that the adversary looks at our most vulnerable link, which is usually six, seven, eight levels down in the supply chain.  So right now, there are a number of primes who have come up with some ideas about how to more cost-effectively accredit small and medium businesses.  This includes developing a number of different groups to streamline the certification process.

Lastly, moving forward: Now that we have released the public model today, we are now focusing on the remaining CMMC timeline, selecting third-party vendors, rulemaking and completing a memorandum of understanding with the newly-established CMMC accreditation body.  Specifically, we are looking at late spring/early summer timeframe to complete a new defense acquisition regulation, a new Defense Federal Acquisition Regulation, or DFAR.

Next in the timeline will be the CMMC requirement in selected RFIs [request for information] in the June 2020 timeframe, followed by corresponding RFPs [request for proposals] in September 2020 time frame, where CMMC standards will be required at the time of contract award.

We continue to work to select third-party certification vendors.  There are multiple companies that are interested right now, but we have not officially designated who is qualified.  We will keep you updated.

Earlier this month, the CMMC accreditation body was created.  It is made up of unbiased parties that will oversee the training, quality and administration of the CMMC third-party assessment organizations, and of course, we have a new acronym for you.

(Laughter.)

They will be called C-3PAO, who will certify the industrial base.

While I won't provide any names today, the accreditation body will consist of 13 members, all individuals from the defense industrial base, cybersecurity community and academic community who self-nominated to join this body.  The AB will be responsible for training and certifying candidate C-3PAO and individual assessors.  We are currently drafting a memorandum of understanding between DOD and the accreditation body, which will outline roles, responsibilities and rules for this accreditation body.  Conflicts of interest will be a point of emphasis in the MOU, helping ensure auditors cannot review one's own company, for example.

We have been working with industry associations, primes, mid-tiers and small companies on how we can most effectively roll out CMMC, so it does not cause a significant cost penalty for the industrial base.  We understand that CMMC could be a burden to small companies particularly, and we will continue to work to minimize impacts, but not at the cost of national security.

OSD has worked closely with the service acquisition executives to start identifying several pathfinder projects for future RFI/RFPs.  We at OSD will do the same, and we will provide more information to you as this moves forward.

In closing, today's CMMC announcement builds on acquisition policy modernization.  I'm very proud of our Adaptive Acquisition Framework, because I believe it enables DOD to simplify and speed up the acquisition process.  The six different acquisition pathways provide flexibility to apply acquisition authorities and various contract types in a creatively-compliant manner.

In addition, we've almost completed 5000.01, which is the overall defense acquisition system regulation.  We have signed and issued DoDI [DOD Instruction] 5000.74, Defense Acquisition of Services; DoDI 5000.80, Operation of Middle-tier of Acquisition; DoDI 5000.81, Urgent Capability Acquisition and Software Acquisition Interim Policy; and finally, DoDI 5010.44, Intellectual Property Acquisition and Licensing Policy.

This has been a lot of hard work and progress.  I'm extremely proud and appreciative of the A&S team and our acquisition professionals who continue to selflessly serve our nation.

Last, I also want to personally thank the defense industry associations who have played a pivotal role, helping ensure we have the full industry perspective on all of these policies.  Additionally, I would like to thank the Hill for their continued support of acquisition reform and our efforts to strengthen and protect the defense industrial base.

Now Katie will offer her remarks, and then we'll be happy to answer your questions.  Katie?

CHIEF INFORMATION SECURITY OFFICER KATIE ARRINGTON:  Good morning.  I'd like to read the following statement:

Thank you, ma'am, and good morning, ladies and gentlemen, and thank you for being here.  As Ms. Lord said, the department's adopting the CMMC framework in order to assess and enhance the cybersecurity posture of the defense industrial base.  The CMMC framework will serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are implemented to protect controlled unclassified information residing on defense supply chain contractor networks, and reduce the risk of advanced persistent threat by invoking critical thinking skills around cybersecurity.

The CMMC model combines multiple cybersecurity standards, from the National Institute of Science and Technology, a special program -- a special publication, 800-171r1; AIA NAS9933, the international standards organization, ISO, 270001; and also, we took into account the -- the future NIST 171-Bravo version.  They're included in the model.

Given the diversity of the DOD supply chain, the fact that cybersecurity is not one-size-fits-all, CMMC consists of five levels that enable the progression of cybersecurity maturity for defense contractors, as you can see by this, from basic cybersecurity hygiene to advanced.  And if you look at the -- the display, on the left-hand side you'll see 17 capability domains.  CMMC Level 1, which is basic cyber hygiene, is one control from each of those domains.  So something as simple in -- in Level 1 would be, does your company have antivirus software?  Are you updating your antivirus software?  Are you updating your passwords?   CMMC Level 1 is the basic cyber hygiene skills that we should be doing every day, regardless.  They're there to protect yourself, your company and your own information.

Level 2 on the CMMC is when we start implementing and helping small businesses, mainly, implement process into their -- their maturity of cyber-secure certification.  So we've added levels to that, and it's a big move from Level 1 to Level 3.  There are a lot of controls.  You're moving from 17 to over 110 controls.

So Level 2 is to help companies create a process and put that in place.  It also helps in their business planning and how to -- how they can plan for doing work in the future, and how they can work their budgets to make that possible.

Level 3 is actually policy.  It's managed.  It's when CUI [controlled unclassified information] touches a -- a customer's net.  So companies today that are using DFAR Clause 252.204.7012 are self-attesting that they are implementing all NIST 171r 110 controls.  That's all that we're asking in the CMMC Level 3.

Level 4 is where it's reviewed.  That's -- you'll see the -- certain requirements that were in the NIST-Bravo version.  You'll see those appear in Level 4 and Level 5.  Those will be very critical technology companies that will be working on those programs.  And because one size is not -- it -- one size does not fit all in cybersecurity, we created it to have a mapping to go over all of them.  The intent is to specify the required CMMC level in request for proposals, and for the winning offer to achieve the CMMC level as condition of the contract award.

The department has undertaken a transparent and collaborative process, where we partner with three defense industry associations and the Defense Industrial Base Sector Coordinating Council.  They were all part of these three CMMC working groups that met weekly since April of the past year, doing the separate iterations.

We also met with -- multiple times with Hill staffers to brief them and answer their questions.  And I want to thank each of them for the continued partnership on the CMMC.

It was critically important for us to engage and receive feedback from all of these key stakeholders throughout the process, so we could build the best model possible.  Their feedback plus over thousands of public comments, as Ms. Lord described, received between September and December 2019, helped earlier iterations of the draft CMMC models, model version 0.4, version 0.6 and version 0.7.

And they played a key role in developing what we're releasing today, version 1.0.

Now, I want to provide a detailed look at the CMMC timeline, how we're working with the accreditation body to establish requirements for third-party assessment organizations, C-3PAOs, individual assessors and what companies can expect.

First, on the timeline, you can see version 1.0 and the five levels at the bottom.  So the bottom is the actual model itself.  So the -- it's -- today I want to put that one a gold-star yellow.  We're done.

(Laughter.)

We got the model out.

But as you can see, as we progress through that, we have a roll-out plan; we have the rule-making, if you go to the top of the timeline.  We have rule-making and how we're following that process.  We have the roll-out plan.

So as you can see, we start the initial RFIs in June.  And then we moved to the official RFPs with CMMC in the requirements.  That is based on the rule-making, the DFAR rule change.

Then we have -- we're doing -- the CMMC accreditation body was established.  We're in the process of getting the MOU over to them.  They'll have a marketplace on their website about the March, early April time frame, where companies can start coming in and getting information.

The -- we'll start doing the pathfinders for this almost immediately.

So what we're doing is, we're taking current contracts that we have in place in the Department of Defense.  Ms. Lord has been instrumental in -- in working and getting a joint collaborative body here in the department, where we're looking at current contracts and how they would relate to CMMC.

Those are inclusive of the new 5000 series, to make sure that we're -- we're tracking.  And those will be the pathfinders that we'll be working through.

We'll also be creating, or in the process, with DAU [Defense Acquisition University], creating CMMC training that will be available in the June time frame, as we move forward through the first RFIs.  That's when the training will be live on the DAU website.

The accreditation board has elected their chairman.  They've named a board of -- the board of directors and have launched their website in preparation for the next very busy few months for them.

We'll update as the MOU is signed and delivered and the training assessment guides to the accreditation bodies.

As I've stated, the major milestones for the rest of the fiscal year include picking pathfinder programs, including the initial RFIs for the CMMC requirements in June, the CMMC requirements and RFPs in October and working with the accreditation body of the certification of the candidate C-3PAOs.

The department is working with the military services and agencies to identify candidate programs that will implement the CMMC requirements during the F.Y. 2021 through F.Y. '25 phased rollout.

All new DOD contracts will contain the CMMC requirements, starting in F.Y. '26. Consequently, organizations working with the DOD will need a CMMC certification within the next five years.

The DOD standard acquisition cycle generally runs in five-year cycles, one base year plus four option years.  The department has delivered the CMMC model version 1.0 to the accreditation board.  The accreditation board will then use the model and the associated assessment guides to mature training for candidate C-3PAOs.

In parallel, the A.B. board will establish requirements for candidate C-3PAOs and individual assessors.

We've had numerous companies ask, "How do I become a C-3PA0 or a credentialed CMMC assessor?"

The CMMC A.B. will establish requirement for candidate C-3PAOs and individual assessors.  In addition, the CMMC will -- A.B. -- will provide updates on training classes, which are planned to start in early spring 2020.

Lastly, the accreditation board and the CMMC website will be the best places for companies to get the information.

Both of those website addresses are on the flyer, on the seats out there.

After the A.A.B. -- the CMMC A.B. certifies C-3PAOs, companies will be able to schedule CMMC assessments for specific levels through a CMMC marketplace portal.

So let me get to some maths -- myths vs. facts.  This first one is, "current contracts will have CMMC put into them."

That is not the case.  We are doing this in a very deliberate, slow, rollout process.  We are going to start with just a few contracts that will have the RFI in October.

We want to work hand-in-hand with the CMMC accreditation body, mostly with our industrial base partners, to ensure that, as we roll this out, that the companies that are coming in and the pathfinders, that they have an opportunity to get certified.  And remember that the certification to win work is going to be needed at the time of award.

"The level of the prime needs to be the same for all of the subcontractors on a contract."

No.  As I stated earlier, security is not one-size-fits-all.  So what we are doing in the new 5000, the adaptive acquisition framework, and in the 5000.CS, we actually went through and broke down how you should look at cybersecurity on your -- your acquisition.

Does this -- does this program have any controlled unclassified information?  If it does, you would immediately think the first level would have to be CMMC-3 for the prime, because, right now, that's what the DFAR rule says.

But, subsequent, the flow-down of that information is really important.  And you shouldn't -- as a prime, we shouldn't burden small business that aren't prepared or expecting to get CUI.  So they would only need to be a level one, if they're not touching the controlled unclassified information.

One of the things -- "DOD did not work with small businesses enough in developing the model."

Small business has been involved in our CMMC working groups weekly, since April.  And we have been working with the Office of Small Business in the Department of Defense.  We trained over 5,200 small businesses last year specifically on cybersecurity in preparation for the CMMC.

Half of the CMMC A.B. board are individuals that have come from small business, because they believe that we can create the CMMC.  We have made over 100 industry listening sessions and engagements since April of last year.  And we will continue that pace through the pathfinder process, as this is a collaborative effort between industry and government.

"Will the CMMC prevent small businesses from fair competition and work?"

Actually, quite the opposite is what is happening today.  Currently, today, if you had two small businesses bidding on work and they both have CUI on the net, and they have to -- they're self-attesting to the DFARS Clause 252.204.7012, they self-attest that they are doing 110 controls.

Company A may only really be doing 80, with a plan of action to do the other 30, and they're not implementing them.  Company B, they are actually doing all 110 controls.  They are doing -- they're self-attesting, that they are doing everything that they have signed and said that they would do in regards to the NIST.  Company A's rates are generally going to be lower because they're not doing those additional 30 controls.  But oddly, they're both technically acceptable.

The CMMC is going to change that. We need to make sure that our industry partners are prepared to take on the work, and the third-party auditors will ensure that they're implementing the practices that we need in place to secure the national defense and our industrial base.

With that, I will stop for the day, I will turn it over to Mr. Fahey.

We -- in DOD, we highly value our small business industry partners who are critical source of innovation.  Throughout this process, we have worked closely with industry associations and small businesses.  We understand that the implementation of the CMMC must be cost-effective to enable small business to achieve required CMMC certification and associated cybersecurity posture.

A&S will continue to work with the DOD Office of Small Business Programs, and other small business communities, to ensure that we are taking all efforts we can to offset this cost.  For example, OUSD(A&S) is working with the Program Technical Assistance Center, PTACs, to provide cybersecurity education programs and assistance.

In closing, we'll continue to provide updated information on this effort on the DOD CMMC website.

Now, Mr. Fahey?

(UNKNOWN):  Actually --

(CROSSTALK)

MS. LORD:  I'm sorry.  Mike?

STAFF:  So what we'll do is, if you can go ahead and put up the website -- so there is a CMMC website.  The three slides that you just saw, I'll send that out to all of you, so you all have a copy of that.  So thank you for your patience, this is a really complicated topic, so thank you to our -- to our leaders for taking the time.

We're going to start with Mike, and then we'll go to Travis.

Q:  Thanks.  Mike Stone from Reuters.

A couple questions on cost.  First off, what's the cost of the accreditation?  I make foam seats for a stealth bomber, that's the only thing that I make and I'm changing my password every 30 days.

My prime, who's going to be accrediting this small business, they're going to charge me -- what? -- 1,200 bucks a year, 1,400 bucks a year in order to make sure that I'm changing my password --

MS. LORD:  We don't have that level of fidelity at this point.  That's exactly what the pathway that Katie addressed is getting down to in terms of actual cost to implement.

Q:  And so what's the stick on the other side of it?  I'm not making this, so who's going to fine me, what's the fine going to be for not being in -- in compliance?

MS. LORD:  We're not talking about fines, we're talking about -- again, remember, we're not doing this retroactively.  So we are looking, moving forward, at new RFIs, new RFPs, rolling it out in a very measured manner.  And it's the cost of being awarded a contract or not.  This is not a trade with costs and schedule and performance, there's a minimum standard that needs to be met, which will allow you to be compliant or noncompliant.

STAFF:  Travis?

Q:  Thank you.  Travis Tritten with Bloomberg Government.  Ms. Lord, you had mentioned the ideas from prime contractors to potentially help some of these small and mid-size companies that are concerned about cost.  And you said that there could be a number of new groups.  Could you elaborate on that, and kind of explain what some of these ideas are and how they would work?

MS. LORD:  I don't want to get in front of the primes in terms of what they're working on right now, but they obviously have small businesses as a critical part of their supply chain.  So the thought was to work with them, help them obtain certification, so that they would be ready to go and be sub-tier to them on a variety of contracts.

So it's really leveraging the power of the primes, understanding staffing and relationships with the rest of the accreditation organizations, to streamline that.  So sort of a one-stop shopping versus having the smalls do it themselves.

However, the primes have indicated to us what they're thinking about doing.  I certainly do not want to speak for them, and I think that it would be great for you to speak to them directly about what their ideas are.

(CROSSTALK)

MS. LORD:  Sure.

MR. FAHEY:  So you know, I'll give you one example that they do today, so I know they'll do it tomorrow.  There are certain instances where they have a critical subcontractor that, what they do is that subcontractor works within their infrastructure, right?  So that's something that would definitely carry in the future, where it's a critical thing.  So they do that today --

MS. LORD:  Right, so the meaning, that this is something that we want to get to in terms of DevSecOps [development, security and operations], we are creating cloud environments to develop and then push capability.

One of our ideas, going all the way along, was instead of having smalls create their own infrastructure, would be just to come and work inside of a secure government environment.  And what Kevin's saying, is the primes are saying, perhaps they could come and work inside of a prime's secure environment.

Q:  And if I could just follow up, are there particular areas of the industrial base that you feel are most at risk and that you would be focusing on initially with these certifications?  Maybe not specific programs, if you can't name that, but just specific functions or areas of the base.

MS. LORD:  Well, first of all, we are doing crawl-walk-run in terms of our first implementations to make sure that we can scale it.  But, as always, our number one priority is nuclear modernization, then missile defense.  So those more critical aspects, we would obviously be spending a lot of time on.

MS. ARRINGTON:  And the other area -- might I add, please -- is the OTAs [Other Transaction Authority], the SBIRs [Small Business Innovation Research] and the STTRs [Small Business Technology Transfer].  Because the small businesses, the nontraditionals that may not have done work with the government prior, are the ones that we really want to help get cybersecurity, critical thinking skills in, before they even start working with the government.

So this is -- you know, we're working it -- you know, the crawl-walk-run, large contracts and small, in the pathfinder process.

STAFF:  We're going to go to Aaron, and then we'll come back down here.

Q:  Thanks.  Aaron Mehta with Defense News.

Quick question on this, and then a follow-up on something else.  Is there any cost involved with spinning this up?  I mean, how much money has to go from DOD into creating the standard and bringing the people involved in --

MS. LORD:  Well, obviously, labor is not free.  So we are taking a number of people within A&S to do this.  So right now, it is primarily the labor.  However, as we mentioned, we're working with Johns Hopkins APL and Carnegie Mellon SEI so there are contracts involved in that.

MS. ARRINGTON:  But we've had no cost with -- or have any intention with the accreditation body.  That was self-stood up.  We have nothing to do with that.

Q:  Gotcha, thanks.

And then a broader budget question for Ms. Lord.  Back in 2017 and also 2018, then-Secretary Mattis and Chairman Dunford went on the Hill a couple times and said they needed 3 to 5% budget growth over inflation year-over-year to, quote, "preserve just the competitive advantage we have today, let alone try to build for the future."  We keep hearing now that the budgets are going to be more flat going forward in the future, what happens now?  What happens to that competitive advantage?  Are you concerned about that?

MS. LORD:  We're getting more and more efficient.  That is obviously what Secretary Esper is focused on with his defense-wide review, that we are cutting out administrative tasks and a variety of portions of programs, to make sure we return those savings to our critical modernization efforts, such as A.I., hypersonics and so forth.

Q:  So that’s no longer as much of a concern because of those internal changes?

MS. LORD:  We are always having to look very carefully at our budgets and make sure we triage them to focus on the critical few.  So we're always concerned, but we're always going to work it.

STAFF:  Jon?

Q:  Thank you.  Jon Harper with National Defense Magazine.  You mentioned that you're taking a crawl-walk-run approach, but the fact sheet you handed out said that the requirements won't be fully in place for all contracts until 2026, which is six years from now.  So why is this rollout going to be over such a long period?

And then, with regard to the third-party assessors, how much funding will be going to those companies that will actually be doing the accreditation?

MS. LORD:  All right, so on the first part of it, obviously, this is a complicated rollout for industry, and we're being realistic in terms of making sure we have pathfinder projects, and then we implement it and learn, get the feedback and go on.  I will say that this is really getting at securing the defense industrial base.

This is a critical cornerstone of the department's overall cybersecurity effort, but it is not the only cybersecurity effort.  So right now, we have an enormous amount of work partnering with NSA, looking at weapon systems, looking at installations, assessing cyber vulnerabilities and then going and mitigating those.  So this is one of many efforts, and we believe we are doing this with what I would call irreversible momentum.  We want to make sure that this works and that it is sustained.

Secondly, we as the department are not paying any money to any auditors.  That's a private transaction between industrial base companies and those certification bodies, if you will, similar to what -- the way ISO [International Organization for Standardization] operates, ISO certification for quality.

STAFF:  We're going to go right here, we’re just going to go, three or four, but we are running out of time, so let's go.

Q:  Is there a target number for how many initial RFIs will be rolled out this summer with CMMC?  And then, will that be a sort of deliberate mix of a percentage of Level 3, Level 4, Level 5?

MS. LORD:  I'm going to pass that to Katie.

MS. ARRINGTON:  We're targeting 10 RFIs and 10 RFPs this year.  We're looking -- and just to do the, you know, the analysis to look at all the different contracts we have, and you know we have a great deal in the department.  We figured that with each one, we've assumed that there would be 150 subcontractors along that in some capacity.  So 10 contracts with 150 contractors per.  And yes, it will be a mix.  We'll have some CMMC Level 3, CMMC Level 1, and there may be one or two that have the 4 or 5 CMMC levels going out.  But we are working those.

The question -- I also wanted to remark about the process.  I mentioned in my statements that our -- most acquisitions go one base year, four years, and we said that we won't be inserting CMMC to an existing contract.  So why the rollout will take five years, is because contracts may not come back around for five years.  So if this is a very, as Ms. Lord stated, crawl-walk-run, we're working because we want to ensure that we -- we don't put the certification into a community of party of interests that aren't prepared to get ready to submit their bids, we want to ensure that we're working with industry throughout this process.  So that's why we're taking it as a slow pace.

But remember that a company's certification is good for three years.  CMMC will be good for three years, and it will be based on the company, specific.  So if you're bidding work for the Navy, this same CMMC certification will be good for Navy work, if you're bidding for Air Force work or you're bidding for Army work.

Q:  Just a quick follow-up.  So it’s 10 and 10; will that, like, double each year leading up to F.Y. '26?  And then separate on those --

(CROSSTALK)

STAFF:  We're running out of time.  I'm sorry.

MS. ARRINGTON:  I think we're learning as we go, and we can't predict it right now.

STAFF:  Okay, good.

Q:  Lauren Williams with Federal Computer Week.  I just wanted to ask a question about how -- how you get from zero to 1, because there are going to be a lot of companies out there that aren't even necessarily at the Level 1 status and they don't know how to even begin to get there.  So who's going to be owning that, and how would they do that?

MS. LORD:  We own in A&S under industrial policy the relationship with industry, and one of our challenges is how to bring companies that aren't familiar with defense work in, and we just created, early this year, what we call a placemat with, step-by-step, how you work with industry, and we might want to give that to everyone.  It's electronic with a lot of hyperlinks.  That would be step one, to call our industrial policy team -- it's really like our helpdesk, if you will -- and then they would vector to individuals in Katie's team who could help.  But again, the industry associations are going to play a pivotal role here, and they provide an enormous service to industry to say, what does it take to work with DOD?  And I think in the end, they are going to be really key in all of this.  But we have pathways to come in, as well.

MS. ARRINGTON:  Can I add onto that, because small -- the Office of Small Business oversees the PTACs, which I mentioned in my statement.  Each -- one member from each PTAC will actually become -- go to the A.B. -- the CMMC classes and get certified, so that they're ready as a resource for small businesses.  We're also working through other small business organizations to get members certified, so that -- that they can go out and help, at low or no cost, the small businesses map out how to get from Level 1 to 3.

MS. LORD:  And perhaps, Mike, you could just push to everyone some information later on the PTACs.  Because I'm not sure everyone's familiar with that concept -- how they're geographically-dispersed.

STAFF:  Yes, ma'am.  That’s good. No problem.

MS. LORD:  Thanks.

Q:  You mentioned how initially, our modernization and missile defense are key priorities.  So would -- is it fair to say that GBSD [Ground Based Strategic Deterrent] could potentially be identified as a candidate program for the CMMC rollout?

MS. LORD:  I just had a great program review earlier this week with the GBSD team, and they are already underway.  As with our new acquisition policies, we are not requiring retroactively to go back.  That being said, program managers and PEOs are very interested in what is in our new acquisition policies and instructions, as well as what CMMC brings, so they are trying to take the best of that.  I will say, if you talk GBSD, you're talking Northrop Grumman.  I know Northrop Grumman is very interested in becoming compliant -- to become certified, as most of our large primes are.

MR. FAHEY:  Just quick, Ms. Arrington talked about how the supply chain would work.  When you look at the nuclear things, in many instances, the industries are the same.  So if you do the contract over here, a high percentage of, like GBSD would be covered.  All right.

STAFF:  We're going the last two, right here.

Go ahead.  You're good.

Q:  (inaudible).  So as the CMMC is implemented, industry lawyers are predicting an increase in these OTAs and other contracting vehicles outside of the reach of the FARs –- the DFARs.

What can we expect in terms of -- you know, from your office, in terms of policies instructing PMOs [program management office] or contracting officers, on ensuring that these CMMC requirements are in those nontraditional contracts?  And what would be -- you know, timing and oversight be for that process?

MS. LORD:  Okay, so this is like a pareto diagram, dealing with the large contract types and acquisition authorities and then working down.  So we're working through all of that. If you want to go ahead and comment --

(CROSSTALK)

MS. ARRINGTON:  So actually, we've already gone out and we started communications with a great deal of the OTAs.  Some of them are government, which they do -- they fall under acquisition, not the DFAR.  They will be putting it as a technical requirement as they roll out the awards -- I mean the white papers, if you're doing an OTA or SBIR or STTR.  So it will be a technical requirement versus a DFAR.

STAFF:  Ending with you, go for it.

Q:  Hey, Valerie Insinna with Defense News.

Ms. Lord, this is a question for you, not about cyber.  The F-35 program office and Lockheed are investigating the mix-up where two different types of fasteners were commingled and used throughout the history of production.

I was wondering, you know, how big of a deal is it -- how big of a deal is this from your purview, and what's the plan to mitigate the issue?

MS. LORD:  I just looked at samples of that issue earlier this week.  Right now, we have assessed that there is no structural compromise of the aircraft.  We continue, obviously, to identify root cause and irreversible corrective action.

At this point, the JPO [joint program office] is working closely with Lockheed.  We will continue to assess if there are any issues, but we have confidence in the integrity of the aircraft at this point.

Q:  If I could just follow up very quickly, you know, Lockheed has made these sort of production mistakes before, so what's your take on Lockheed's level of improvement when it comes to adhering to production standards and processes?

MS. LORD:  Over the last two and a half years, I've seen the Lockheed plant that produces the F-35 make incredible strides in terms of transitioning to what I would call a visual factory, making sure that hardware is kitted up and delivered to the line.

I think this is a journey that we will be on for the entire life of the F-35.  We're always looking for continuous improvement, but the F-35 JPO is working very, very closely with Lockheed and their whole industrial base, and I am confident of the quality that's coming out and I'm also very confident that Lockheed is going to continue to improve performance month over month, quarter over quarter and year over year.

STAFF:  Okay, Ma'am, do you have any closing remarks?

MS. LORD:  Just say that I appreciate everybody showing up here at 8 o'clock.  Thank you, Aaron, and we appreciate you taking the time to really try to understand some of these more technical things.

Thank you, everyone.