The foundation of the Cybersecurity Maturity Model Certification (CMMC) — the Department of Defense’s new cyber requirements for contractors — will see some coming changes, its leaders recently said.
The DOD will make alterations to the highest level of the five-tier security model after receiving public comments on the recently issued CMMC Defense Federal Acquisition Regulation System rule.
The department issued an “interim final” rule in September instead of first issuing a proposed rule, which meant the rule took effect upon publication. But there was still a 60-day comment period for industry to weigh in. The Office of Management and Budget, which hosts the council overseeing acquisition rules, allowed for this because of “the threat to national security” embedded in supply chain vulnerabilities, Jessica Maxwell, a DOD spokeswoman said in a statement.
“We did not plan to make changes to the DFAR rule,” Maxwell said. She added: “We also recognize that as the threat is not static nor should our model not be static, we are always evaluating the best standards to implement to address relevant threats.”
The DOD is also looking to update its CMMC assessment guides as a part of the comment adjudication process. DOD’s authority to create the assessment guides, which will be used by CMMC assessors, was outlined in a recently released statement of work in a contract between DOD and the CMMC Accreditation Body (CMMC-AB), which is the organization charged with implementing the program and overseeing the assessors and CMMC ecosystem.
CMMC was designed to close the many cybersecurity gaps in DOD contractors’ networks through third-party verification. But the new rule won’t be widely adopted in contracts until fiscal 2025.
The biggest change under CMMC is that now contractors will need to get a third-party assessment for their networks. No longer can they perform a self-check to ensure they are meeting standards. Instead, they will need to hire an assessor to verify it.
DOD received comments from contractors and trade groups, many advocating for clear guidance on the reciprocity between the CMMC controls and other federal IT compliance programs, like the Federal Risk and Authorization Management Program (FedRAMP).
“As the Department moves forward with the CMMC, we believe that it is important to get its implementation right by developing and implementing those cybersecurity protocols that are necessary, while simultaneously guarding against actions and regulations that do not add security and result in harm to industry’s ability to innovate and partner with DoD,” trade group ITI wrote in its comments to DOD. ITI also recommended more clear guidance on how subcontractors will be handled with flow-down requirements.
It’s unclear exactly what changes DOD plans to make, but the announcement also comes after the publication of new protective guidance from the National Institute of Standards and Technology, SP 800-172. Maxwell said the process for adjudicating the comments is not related to the new publication, but Stacy Bostjanick, the acting director of supply risk management at the DOD, told InsideCybersecurity, which first reported the changes to the rule, that the department is also trying to “sync” CMMC levels four and five with NIST’s new guidance. Very few companies will need to meet those levels, DOD said previously.