Written by Jon Harper
Federal contractors still face many unknowns about how the Pentagon’s controversial cybersecurity maturity model certification program will be implemented, the head of a major trade association told lawmakers on Tuesday.
The CMMC program is an effort to incentivize the defense industrial base to improve its cybersecurity with new certification-based standards and better protect controlled unclassified information from adversaries.
After receiving a major rejection from contractors regarding implementation charges and costs and after conducting an internal review, the MoD announced in November that it was revamping its plans and possibly implementing this which he called CMMC 2.0.
Additionally, earlier this year, Deputy Secretary of Defense Kathleen Hicks transferred responsibility for the program from the Pentagon’s office of acquisition and support to the office of the CIO.
“The requirements are in the early stages of the rulemaking process. And so we anticipate that a revised supplement to the Federal Defense Procurement Regulations will be released. We’ve heard various estimates that it could be as early as late this spring or as late as a year from now,” David Berteau, president and CEO of the Professional Services Council, told a Senate Committee hearing. of the armed forces on the health of the defense industrial base.
He continued: “What we don’t know is what is the next standard we will have to meet? When will the flag drop and you have to comply? And what can you do now to be ready for that when you don’t know… what standards you’re going to have to meet? So there’s still a lot of ambiguity there.
Delays in the program have implications for cybersecurity, he noted.
“One of the issues or concerns that we have raised from the beginning is that the threat is not waiting for this implementation, if you will, and every day that threat is growing,” he said. “The real question is, do these standards go far enough to protect us against the evolving threat? And no one really knows the answer to that.
CMMC 2.0 aims to simplify standards, minimize barriers to compliance, provide additional clarity on regulatory, policy and contractual requirements, increase departmental oversight of “professional and ethical standards in the assessment ecosystem and improve overall ease of execution, according to a DOD press release issued in November.
Key changes include a reduction in the number of security compliance levels from five to three, and a reduction in the number of contractors who will be required to obtain third-party verification of their compliance.
The DOD plans to specify a base number of requirements that must be met by contractors before contract award.
The CMMC will not be implemented until the rulemaking process for the Code of Federal Regulations and the Defense Federal Acquisition Regulation Supplement is completed.
However, the Pentagon has encouraged contractors to beef up their cybersecurity while the regulations are ongoing.
Berteau noted that many contractors are already working to comply with the cybersecurity standards outlined in National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171), which CMMC should be aware of.
“Almost every company I know that is involved in the defense industry today at the prime contractor level, whether large, medium or small, already invests and has a registered plan to comply and meet these standards,” Berteau said. “It’s not included in the contracts [now as part of CMMC] …but a lot of people are still moving forward.