Status of CMMC, TIC 3.0, Supply Chain Security Trends in 2021
Cyber officials discussed their priorities and what federal agencies should focus on this year.

Top cyber officials are calling on federal agencies to pay particular attention this year to TIC 3.0, the new Cybersecurity Maturity Model Certification (CMMC) standards and supply chain security to significantly reduce cyber risk.
“SolarWinds is not the last event by a long shot, and it wasn’t the first event,” said Katie Arrington, Defense Department CISO for Acquisition & Sustainment, during an AFFIRM event last week week. “If you’re an innovative company and you’re not doing the basics in CMMC level 1, you’re not going to be around in five years because your IP, which makes you unique, will be stolen. You should be doing them anyway.”
Even non-defense government contractors need to implement at least base-level CMMC standards simply because there’s so much overlap between defense and non-defense contracting.
“When we look at the industrial base we see a lot of crossover,” said GSA Deputy Assistant Commissioner for Acquisition Keith Nakasone. “The community on the DOD side is also doing work on the civilian side. If there are ways we can adopt best practices, it gives us that whole-of-government look.”
Arrington said DOD drafted a memo to establish reciprocity between the FedRAMP moderate impact level and CMMC level 3 to help cut back any superfluous cyber standards. Contractors should work hard to meet CMMC requirements, she said, but also recognize that CMMC is only the first step.
“CMMC is a start,” she said. “Next year this time, we’re going to be talking about what we need to tweak, supply chain risk management in reality … You thought CMMC was hard, and now we’re going to start with zero trust. How do we build architecture and stability to get to zero trust? CMMC illuminated your supply chain, so you can see everybody in a golden cage. Now let’s really start talking about the risk associated with that.”
Branko Bokan, a cyber lead at CISA, agreed zero trust will become a focus as federal agencies adopt TIC 3.0.
“The perimeter has shifted from one single network to end points or end users,” he said during a FedInsider webinar on 2021 security trends. “The new TIC 3.0 policy allows for this flexibility and allows for this new strategy. The highlight is the shift in the focus from protecting one big network to protecting endpoint devices — that is really the gist and the spirit of TIC 3.0. It gives federal agencies flexibility to continue protecting their traditional network and also allow them to accommodate emerging technologies.”
Steve Wallace, a technical director and systems innovation scientist at the Defense Information Systems Agency (DISA), said two years ago DOD implemented a similar strategy to TIC 3.0, which turned out to be incredibly successful.
“We’ve seen increased performance for the end users and better performance to their browsers because we’re removing the devices in line that address threats in line, the traffic isn’t subject to those same times of inspections anymore,” he said during the webinar.
Wallace and Bokan highlighted that the zero trust approach to security is complementary to TIC 3.0 and supply chain security in 2021.
“Zero trust is not a product, nor a service, not something you can go out and buy in a box. It’s a concept, it’s an end-to-end approach to enterprise security, in which your trust is never explicitly granted, it must be continuously evaluated,” Bokan said. “Shrinking that implicit trust zone to a single user or device — that’s really critical for organizations to understand. Some of the things we see that have been obstacles for federal agencies is, it is critical to have a solid understanding of organizational business data to deploy zero trust architecture. Moving to cloud environments — visibility is going to be challenged for some time.”
As federal agencies continue migrating to the cloud, NIST Fellow Ron Ross said they need to keep TIC 3.0 and supply chain security top of mind.
“Cloud is a great new technology to change business models and offer innovation and capability,” he said. “You’ve got a bunch of servers, hardware, software, firmware, to give businesses and organizations mission capability. It gets back to the basic question: what kind of assurance and transparency do we have in these cloud architectures?”
This is a carousel with manually rotating slides. Use Next and Previous buttons to navigate or jump to a slide with the slide dots
-
VA CIO Targets Modern IT and Smarter Workforce Alignment
Agency leaders told lawmakers they are focused on trimming legacy systems and restructuring its workforce to streamline operations.
3m read -
Pentagon's $200M AI Contracts Signal Broader Effort to Transform Talent
The Army is leveraging Silicon Valley, reservist programs and new hiring strategies to integrate critical digital skills in its ranks.
5m read -
AI Foundations Driving Government Efficiency
Federal agencies are modernizing systems, managing risk and building trust to scale responsible AI and drive government efficiency.
43m watch -
Inside DOD’s Push to Grow the Cyber Workforce Through Academia
Diba Hadi gives her first interview since becoming principal director of the DOD’s Cyber Academic Engagement Office.
15m listen -
Agencies Tackle Infrastructure Challenges to Drive AI Adoption
Federal agencies are rethinking data strategies and IT modernization to drive mission impact and operational efficiency as new presidential directives guide next steps.
5m read Partner Content -
Generative AI Demands Federal Workforce Readiness, Officials Say
NASA and DOI outline new generative AI use cases and stress that successful AI adoption depends on strong change management.
6m read -
The Next AI Wave Requires Stronger Cyber Defenses, Data Management
IT officials warn of new vulnerabilities posed by AI as agencies continue to leverage the tech to boost operational efficiency.
5m read -
Federal CIOs Push for ROI-Focused Modernization to Advance Mission Goals
CIOs focus on return on investment, data governance and application modernization to drive mission outcomes as agencies adopt new tech tools.
4m read -
Fed Efficiency Drive Includes Code-Sharing Law, Metahumans
By reusing existing code instead of rewriting it, agencies could dramatically cut costs under the soon-to-be-enacted SHARE IT Act.
5m read -
Agencies Push Data-Driven Acquisition Reforms to Boost Efficiency
New initiatives aim to increase visibility of agency spending, improve data quality and create avenues to deploy solutions across government.
5m read -
Data Transparency Essential to Government Reform, Rep. Sessions Says
Co-Chair of the Congressional DOGE Caucus Rep. Pete Sessions calls for data sharing and partnerships to reduce waste and improve efficiency.
5m read -
DOD Turns to Skills-Based Hiring to Build Next-Gen Cyber Workforce
Mark Gorak discusses DOD’s efforts to build a diverse cyber workforce, including skills-based hiring and partnerships with over 480 schools.
20m listen