The last step for the Department of Defense to start putting its new cybersecurity requirements into contracts is on course, after concerns the coronavirus pandemic would delay its implementation.
The Cybersecurity Maturity Model Certification (CMMC) program is now just waiting for the Office of Management and Budget to approve a rule change to the Defense Federal Acquisition Regulations (DFAR) that would allow the DOD to write clauses into requests for proposals requiring CMMC in all contracts. CMMC is a five-level cybersecurity maturity model for which all defense contractors will need to receive a third-party verification before they can bid for work with the Pentagon.
The DOD program office in charge of CMMC had previously said some delays would occur since the rule change process requires a public hearing, which is difficult to schedule while group gatherings are unsafe.
“We are still tracking right along for the DFARs rule change,” Katie Arrington, CISO for acquisition and sustainment and lead CMMC official, said Wednesday during a webinar. “That has not deviated.”
Other cybersecurity and DOD contracting specialists praised the work that has been done while officials both in DOD and outside groups working on CMMC have been working through the coronavirus pandemic.
“We do have a lot of reason to hope,” David Berteau, president and CEO of the Professional Services Council, said during the webinar. He and others added that, still, “there is a good bit of work to be done.”
The work left to do in industry mostly falls out of DOD’s hands. The actual implementation of the program, including the training, development and quality control of the assessment ecosystem, is controlled by the CMMC Accreditation Body. The AB is a third-party nonprofit run and staffed by an all-volunteer group that has recently run into turmoil over its direction and relationship with DOD.
The rule change will be one of the final steps in bringing CMMC into contractual reality. The DOD has said industry should expect CMMC requirements to be in a small number of contracts by the end of the year. The full program will be rolled out over five years, giving contractors time to get the certifications necessary to continue working with the DOD. Some large prime contractors may need multiple assessments as the program tests individual networks, not firms as a whole. The vast majority of contractors will only need a level one certification, which comes with minimal cyber hygiene requirements.
The department is currently working with “pathfinder” contracts: requests to industry that include CMMC language but do not require certification as no assessors have been trained or certified by the AB. Initial results of the tests have been positive, Arrington said.
“The pathfinders have been going incredibly well,” she said.