FY 2021 Plans for DOD’s New Cybersecurity Maturity Model Certification Program

If you have been watching the evolution of the Department of Defense (DOD) Cybersecurity Maturity Model Certification (CMMC) program to improve the cybersecurity of DOD contractors and subcontractors then you are aware that the Pentagon issued the interim acquisition rule for CMMC at the end of September. CMMC will impact nearly every DOD contractor and subcontractor in the coming years.

Katie Arrington, Chief Information Security Officer (CISO) for the Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD(A&S)), is the DOD lead for CMMC and recently provided an update on CMMC at an virtual event hosted by FedScoop.

Some of the key topics Arrington covered include:

• Pathfinder Pilot Programs: the DOD has been working through five pilot programs that included a mock contract with updated acquisition guidelines. They have also worked with some primes and subs on the mock contracts to see how they mapped to the required certification levels. The CMMC Program Management Office (PMO) also worked through a mock dispute resolution process with CMMC Accreditation Body (AB).
• Certification Assessors: Initial training was delivered in June to CMMC Third-Party Assessor Organization (C3PAO) assessors. There have been two cycles of pilot training that the AB has run resulting in 50 assessors available today. Ongoing efforts include refining the Assessor training curriculum and assessment instrument and getting them out to companies to produce it for delivery across the country. The DOD is also working through mapping CMMC to International Organization for Standardization (ISO) standards for congruity.
• Exceptions to CMMC: There are only a few procurements that will be excepted from the CMMC requirement. First, micro-purchases on government credit cards. Second, commercial-of-the-shelf (COTS) products. (The COTS product producer will not need a CMMC certification, however, a systems integrator selling a COTS product to the DOD will still need a Level 1 certification.)
• Supply Chain Implications: In addition to strengthening the cybersecurity of DIB suppliers, CMMC will have the side effect of driving down foreign ownership of the DOD (and other federal departments) supply chain. CMMC will also likely reduce foreign bad-actor penetration of government contracts, networks and critical information since CMMC audits will require a company’s personnel (and infrastructure?) to be physically present to meet with assessors.
• New Interim DFAR Rule: The recently released the Defense Federal Acquisition Regulation Supplement (DFARS) interim rule will go into effect on November 30. Arrington had originally thought the DOD would propose a draft rule that would work through the established process toward finalization. But given that cybersecurity and supply chain security is such a high national security priority the decision was made to put this DFAR is on the fast track as a “national emergency” provision to expedite the process. The net effect is that the government took 90 days off Arrington’s schedule. As part of the requirements vendors must show how they comply with the standards outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Vendors will register their self-assessments and DOD will then follow up with CMMC. Until the interim rule goes into effect on November 30th, DOD is seeking comments from industry to help shape the final rule. Arrington said they are especially interested in input from Level 4 and Level 5 companies on how the DOD can help drive cybersecurity at those levels.
• FY 2021 Plan Forward: In FY 2021 the DOD is planning to have 15 individual contracts aligning with primes that have Defense Industrial Base (DIB) Common Access Card (CAC) assessments level HIGH, which would put them at CMMC Level 3. These contract can have from anywhere from 15 to 1,500 subcontractors on them. By the end of the year they plan to have 1,500 subs certified, depending on the needs of the contracts and the pace of assessments.

While Arrington did not broach the topic of whether or not there will be reciprocity between the CMMC and the FedRAMP program certification, this is something she has said in the past that makes sense and is something the PMO is investigating.