After months of delay due to the coronavirus pandemic, the Cybersecurity Maturity Model Certification (CMMC) rule change is officially here.
The new CMMC rule in the Defense Federal Acquisition Regulations (DFARs) officially took effect Tuesday after a 60-day comment period.
The acquisition regulation rule changes finalize CMMC as Department of Defense policy, meaning that the Pentagon can now put the requirements — first published in January — into contracts. It’s a major change from the defense industrial base’s prior cybersecurity requirements, where contractors that handle controlled unclassified information could simply self-attest their compliance with security measures. Now, the DOD has moved to a “trust but verify” model that will require all contractors to get a CMMC assessment and be certified on a five-level scale of cybersecurity maturity.
The change is a long time coming: It was initially promised in May, but delays caused by the pandemic pushed the interim final rule’s publication to the fall and finalization to Dec. 1. To speed things up, DOD used a special process to implement the changes — one that does not take into account public comments and allows the rule to take effect immediately after the comment period, instead of the usual timeline where DOD reviews public comments before making a rule final. DOD, however, could still tweak the rule in the future after reading through feedback.
While the rule change is now final, DOD officials have said they will roll out the requirements over the next five years, giving contractors time to get assessments from accredited inspectors that are currently being trained by the CMMC Accreditation Body.
“Today is a new day,” Katie Arrington, chief information security officer for acquisition and sustainment and the DOD’s lead CMMC official, said at AFCEA’s TechNet Cyber event Tuesday. Arrington said a press release is forthcoming announcing which contracts will be first to see CMMC requirements.
While CMMC has five tiers of security requirements, Arrington has said most contractors likely will only need to meet level one — the lowest level of security under the model — while very few will need to meet level five.
Some changes under the rule will take a more immediate effect. For instance, contractors that work with controlled unclassified information will need to submit a self-assessment on their current cybersecurity posture into DOD’s Suppliers Performance Risk System (SPRS). This new requirement was not advertised until the draft rule was published two months ago.
The type of rule change DOD initiated allows the rule to take effect immediately after the comment period, instead of the usual timeline where DOD reviews public comments and then makes a rule final.
Some industry groups are still looking for more information on the rule change. The Information Technology Industry Council wrote in its comments that it wants more clarity on security baselines, reciprocity with other government standards and assurances on the security of how DOD will store sensitive information on company’s assessments.
“As the Department moves forward with the CMMC, we believe that it is important to get its implementation right by developing and implementing those cybersecurity protocols that are necessary, while simultaneously guarding against actions and regulations that do not add security and result in harm to industry’s ability to innovate and partner with DoD,” ITI wrote in its comments.
DOD officials have said that Enterprise Mission Assurance Support Services (eMASS) will be the database that stores information on contractors’ assessments. That information will need secure storage as the assessments point out weaknesses in contractor’s cybersecurity that could be helpful for attackers.