A landmark effort by the Department of Defense to shore up cybersecurity across its 300,000+ contractor base has managed to stay mostly on schedule despite the coronavirus pandemic. Let's take a closer look at the progress made over the past few months.
Pentagon official Katie Arrington, the acquisition office's CISO and public face of the DoD's effort, has maintained engagement with Defense Industrial Base (DIB) stakeholders via online conferences to provide continual updates and clarifications.
The Cybersecurity Maturity Model Certification (CMMC) program will require all Department of Defense contractors to undergo assessment and third-party certification of their cybersecurity posture to be awarded a DoD contract. The tiered certification program includes five levels corresponding to the sensitivity of Controlled Unclassified Information (CUI) a contractor will handle under a particular contract.
Rolling out the requirements will be a slow and measured process. DoD has handpicked the first ten Requests For Information (RFIs) that will include CMMC requirements, scheduled to appear at the end of July or early August. The Requests For Proposals (RFPs) will follow later this year, and the first contract awards are expected in early 2021.
The plan now is to have CMMC requirements in all new RFIs by 2026. Since DoD will not modify existing contracts to insert CMMC requirements (outside of extenuating circumstances), the five-year timeline accounts for the general five-year contract cycle (one base plus four option years).
The CMMC Accreditation Body (CMMC-AB), a non-profit organization responsible for overseeing the third-party assessment enterprise, is now up and running.
The CMMC-AB has begun training C3PAOs, Certified Third Party Assessor Organizations, who will be certified to manage the contractor assessment process. DIB companies will contract with a C3PAO to conduct their assessment and certification. Certification will be an allowable cost built into the DoD contract.
Other federal agencies are likely to adopt similar certification models for their contractors. The Department of Homeland Security will incorporate some measures in its upcoming supply chain security guidance. A form of FedRAMP reciprocity is also under discussion, and CMMC is already being referenced in civilian agency proposals.
Illustration: CMMC Seal
In a recent RFP for its government-wide IT acquisition program, the General Services Administration recommended contractors prepare for CMMC certification in anticipation of eventual inclusion of CMMC-like requirements in the civilian acquisition process.
CMMC's official expansion beyond DoD to civilian contracts will require some additional guidance (and time). GSA's mention of CMMC is undoubtedly another sign, however, that CMMC's influence continues to grow, and it's not just defense contractors who should be tracking the issue.
Not surprisingly, lawmakers on Capitol Hill have been keeping a close eye on the program's progress. Through the annual National Defense Authorization Act (NDAA), the House and Senate Armed Services Committees have included provisions in their respective bills that address different aspects of CMMC. Both bills await floor action in the second half of July.
The House's version of the FY21 NDAA, approved by the Armed Services Committee on July 1, seeks answers to "unanswered questions" about the program's implementation. The bill directs DoD to provide the following by January 15, 2021:
During the bill's markup, the committee approved an amendment addressing potential conflicts of interest raised by the program. In addition to praising the effort to secure industry networks, the amendment directed the Department of Defense to provide more information on how it planned to protect the proprietary information third-party auditors will gather from contractors during their assessments.
The Senate bill also addresses the challenges CMMC presents to small businesses and seeks additional information on how DoD can help alleviate the burden. There are also CMMC-related provisions that range from cyber hygiene to cyber threat hunting.
In an interesting turn, the committee expressed concern that DoD could be holding contractors to a higher cybersecurity standard than DoD components. Citing a recent GAO report which found DoD had not fully implemented its own cyber hygiene practices, the committee called on the DoD CIO to assess each component against CMMC criteria.
On the subject of cyber threats, a provision addresses DIB participation in a threat intelligence sharing program. The committee expresses concern that CMMC levels 1 through 3 do not require a threat hunting capability and about the impact that will have.
One of the final steps before the certification program becomes official is a change to the Defense Federal Acquisition Regulation (DFAR), which requires a public hearing. Delayed due to coronavirus safety concerns, the hearing will likely take place in September.
While most subcontractors will only require lower levels of certification and basic cyber hygiene can go a long way towards satisfying those criteria, the certification process will still be a challenge for small businesses. As part of its oversight responsibilities, Congress recognized those concerns and called for DoD to clarify and provide some relief.
I've followed the effort from its early drafts (see here and here) and find it impressive how well the program has advanced. It's not often that a major DoD policy shift with a timeline as aggressive as the CMMC's stays on target under normal circumstances. That it is still on track during the pandemic shows the resilience of all stakeholders and is indicative of their willingness to address the many difficulties that lay ahead.
Office of the Under Secretary of Defense for Acquisition & Sustainment
As Director of Government Strategy at Authentic8, Abel advises the federal business team on policy development and budget trends to identify growth opportunities and shape customer engagement.
Want to learn more about the Silo Web Isolation Platform? Have a general inquiry about Authentic8? We’d love to chat! Click one of the buttons below to get in touch with our representatives.
