Federal contractors still face a lot of unknowns about how the Pentagon’s controversial Cybersecurity Maturity Model Certification program will be implemented, the head of a leading trade association told lawmakers Tuesday.
The CMMC program is an effort to prod the defense industrial base to improve their cybersecurity with new certification-based standards and better protect controlled unclassified information from adversaries.
After receiving major pushback from contractors about the burdens and cost of implementation and conducting an internal review, the Department of Defense in November announced that it was revamping its plans and would eventually implement what it called CMMC 2.0.
Additionally, earlier this year Deputy Defense Secretary Kathleen Hicks moved responsibility for the program from the Pentagon’s acquisition and sustainment office to the Office of the CIO.
“The requirements are in the early stages of the rulemaking process. And so we anticipate a revised Defense Federal Acquisition Regulation Supplement to … come out. We’ve heard various estimates that it could be as early as late this spring or as late as a year from now,” David Berteau, president and CEO of the Professional Services Council, said during a Senate Armed Services Committee hearing on the health of the defense industrial base.
He continued: “What we don’t know is, what’s the next standard we’re gonna have to comply with? What’s the timeline in which the flag will go down and you’ve got to be in compliance? And what can you do now to be ready for that when you don’t know … what standards you’re gonna have to meet? So, there’s still a lot of ambiguity there.”
Delays in the program have implications for cybersecurity, he noted.
“One of the problems or concerns that we’ve raised from the beginning is the threat is not waiting for this implementation, if you will, and every day that threat grows,” he said. “The real question is, do those standards go far enough in order to protect us against the evolving threat? And nobody really knows the answer to that.”
CMMC 2.0 is intended to simplify the standards, minimize barriers to compliance, provide additional clarity on regulatory, policy and contracting requirements, increase department oversight of “professional and ethical standards in the assessment ecosystem,” and improve the overall ease of execution, according to a DOD press release issued in November.
Key changes include a reduction in the number of security compliance levels from five to three, and a reduction in the number of contractors that will be required to get third-party verification of their compliance.
The DOD plans to specify a baseline number of requirements that must be achieved by contractors prior to contract award.
CMMC won’t be implemented until after the completion of the rulemaking process for the Code of Federal Regulations and the Defense Federal Acquisition Regulation Supplement.
However, the Pentagon has encouraged contractors to beef up their cybersecurity while the rulemaking is underway.
Berteau noted that many contractors are already moving to come into compliance with the cybersecurity standards laid out in National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171), which are expected to inform CMMC.
“Almost every company I know and that participates in the defense business today at the prime contractor level, whether large, medium or small, is already investing and has a plan on record for compliance with and meeting those standards,” Berteau said. “It’s not being incorporated into contracts [now as part of CMMC] … but a lot of people are moving forward anyway.”