Contractors with existing FedRAMP or Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) certification will not have to go through separate Cybersecurity Maturity Model Certification (CMMC) according to DOD officials.  Katie Arrington, the chief information security officer for Defense acquisitions, was recently quoted in a NextGov article stating, “I’m going to take any ISO 27001 and provide reciprocity,” referring to the formal international information security standard upon which all of the reviews are based.  This is good news for contractors that have already paid third party certification organizations hundreds of thousands of dollars to show that their systems can safely handle government information.  It also means that DOD will have a ready-made field of companies eligible to compete for projects where CMMC is required.  CMMC safeguards, therefore, will also be able to be in place in more areas ahead of schedule.    There are, of course, some differences over implementation.  Unlike FedRAMP, which credits companies for submitting a plan of action and milestones, or POA&M, CMMC will be approving companies based purely on where they are at the time of review.  Arrington explained, “A CMMC level 3 is a FedRAMP moderate, so if you’re using a cloud service provider to supplement portions of a CMMC 3, then absolutely, you need to have the CSP’s certification for the assessor. The difference between CMMC and FedRAMP is we are not allowing plans of action to get better, right, you either are or you aren’t.”  Still, companies that thought they were facing significant new costs and delays that could put them at a competitive disadvantage have to be pleased.  Less spending, faster implementation, and the ability to compete now all place certified companies in a good place to obtain DOD business.