Industry Concerns Mount as DoD Reviews Its Budding Industry Cybersecurity Certification Program

Since the Department of Defense (DoD) launched their Cybersecurity Maturity Model Certification (CMMC) program in June 2019 there has been keen interest on how the program would unfold.

Things began to take shape throughout 2020, including the release of DoD’s draft interim defense acquisition regulation and by the beginning of 2021 the CMMC program was making some progress, with Pathfinder programs and CMMC pilot contracts underway and the issue of CMMC and FedRAMP reciprocity being ironed out.

Of course, CMMC has not been without its challenges and the current issues will continue to garner the sharp attention of members of the federal contracting community across the defense industrial base and beyond.

Leadership Changes at DoD and Accreditation Body

This spring, the Biden DoD replaced CMMC lead Katie Arrington with Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy, to assume oversight of CMMC. For its part, the CMMC Accreditation Body (AB) has seen multiple leadership and staff turnover over the last year. In March, Matthew Travis, a former CISA deputy director was tapped to lead the AB.

DoD CMMC Program Review Underway

In March, the DoD ordered a review of the CMMC program, with the following three goals:

1. Managing costs for small businesses. The DoD and AB are discussing several options for helping small businesses with the costs associated with certification, but currently there is no plan in place.
2. Clarifying cyber regulations and contracting requirements. DoD’s 2020 interim acquisition rule raised questions on how program fits with numerous other rules governing cyber and supply chain security. DoD plans to clarify, de-conflict and streamline things.
3. Reinforcing confidence in the program. The DoD wants to reinforce trust and confidence in the developing CMMC assessment ecosystem.

It is unclear when DoD will complete their review and when results will be released.

Accreditation Body CMMC Assessor Progress

In June, the CMMC AB announced that they had authorized the first third party assessment organization (C3PAO) and had more than 150 candidate C3PAOs awaiting certification. The AB has been operating with provisional security assessors while they work to finalize the assessor certification training, which is still under development.

Timeline for Full Implementation

The original CMMC rollout plan was to slowly ramp the program to apply to all DoD contracts by 2026. However, that could change given the current program review that is underway at the DoD. According to the AB CEO Matthew Travis, pushing out the timeline is not something out of the ordinary for a program of this scope and complexity. He suggests that other examples of new large federal programs, such as FedRAMP, point to a longer timeline.

Industry Concerns Continue

DoD’s evolving cybersecurity certification for contractors is causing questions and concerns among members of the Defense contracting community over the impacts of the regulation on their businesses, especially small and medium-sized companies. Two major issues revolve around the cost and administrative burdens of obtaining the certification.

Cost Concerns – Concerns about upfront compliance costs are coming from multiple sectors and may reduce DoD’s supply chain. DoD has estimated the cost of a CMMC Maturity Level 3 (ML3) certification to be more than $118,000 in the first year. One recent industry survey finds that nearly 25% of U.S. electronics manufacturers may exit the Defense market due to high costs associated with CMMC.

Assessment Availability – DoD appears to be moving toward requiring having more experienced assessors conduct assessments at Level 3 and above. This would likely increase the cost of assessments. But the greater impact may be putting a squeeze on the already-limited supply of high-level assessors, especially considering the current pace of getting the assessor training finalized and rolling.

Implications

Between the projected cost burden and the logistical and administrative challenges of compliance, CMMC in its current form has to potential to drive some companies away from doing business with the DoD, shrinking the Defense industrial base and introducing unforeseen supply chain risks. And while changes in leadership and key staff positions are to be expected over a multi-year effort, the frequency and nature of some of the turnover within the first few years of CMMC’s creation continues to raise questions about the program’s future.