Industry has concerns with CMMC’s ‘very ambitious’ rollout
A coalition of technology trade associations is concerned with the rollout of the Department of Defense’s new cybersecurity standards and certification process, stressing in a letter that DOD needs to clarify gaps in how the industry will need to prepare for the new model.
The Cybersecurity Maturity Model Certification (CMMC) will require all contractors — from boot manufacturers and ammunition makers to cybersecurity firms — to be certified by a third-party assessor to ensure they meet cybersecurity standards on a five-level scale.
But how those scales will be implemented and the ways that the DOD will indicate what will be required of contractors needs more details, says the letter signed by the Information Technology Industry Council (ITI), Alliance for Digital Innovation, BSA: The Software Alliance, Cybersecurity Coalition, Internet Association, and the Computing Technology Industry Association (CompTIA).
“We are concerned that current plans for implementing CMMC lack sufficient clarity and predictability in key areas, and as a result may unnecessarily generate confusion, delay and associated costs,” the trade groups said.
CMMC Accreditation Board members announced yesterday that CMMC is still on track to be introduced into some requests for information contracting documents this summer and all contracts by 2025. The board will oversee the training and certification of third-party assessors.
That timeline is “very ambitious,” according to the letter; industry associations are concerned that building an enterprise of third-party assessors will be too much of a lift to meet the current timeline. The global pandemic of novel coronavirus won’t make it easier, Simone Petrella, CEO of cybersecurity workforce company CyberVista, told FedScoop in an interview.
“The biggest impact is that it is going to force this process into some sort of virtual environment,” Petrella said. She added that training online can be accomplished, but it will need measurable feedback and “a robust process by which you can think through this process in a remote setting.”
The associations are also concerned by CMMC’s interoperability with other government cybersecurity requirements. Processes like FedRAMP already have strict security requirements and the associations want their members to be able to easily switch between the two sets of standards.
CMMC requirements already mirror many of the same controls that FedRAMP does, but not all.
“Allowing for reciprocity with other cybersecurity requirements will reduce the cost and administrative burden of compliance and allow DoD to achieve its cybersecurity goals on a quicker timeline,” the letter states.
Another issue the associations want clarity on is how the DOD will identify which level a contractor will need for what part of a contract. Katie Arrington, the CISO for acquisition and sustainment and leader of the DOD’s CMMC efforts, said that subcontractors will not need to meet the same requirements as larger primes to participate in parts of the same contract. But industry wants more details on how contractors will know at which level they will need to be assessed.
“(I)f each acquisition authority or prime contractor is allowed to establish certification requirements on its own, multiple authorities may set different level requirements for substantially similar services,” the letter states.
