The Defense Department’s Cybersecurity Maturity Model Certification Gains Steam
Published: February 11, 2021
Federal Market AnalysisCybersecurityDEFENSEPolicy and LegislationSubcontracting
The flurry of news about the Pentagon’s Cybersecurity Maturity Model Certification program points to key developments that contractors need to know.
Watching the continuing evolution of the Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) program is enough to set anyone’s mind awhirl and the last few months has seen a number of developments and plans unfold. If you are totally new to the topic, check out this overview of the CMMC program.
Here are some of the recent items most relevant to federal contracting companies that do business with the DoD, or aspire to.
Pathfinder Programs – The DoD has done three pathfinder programs using CMMC requirements to test the CMMC assessment approach and work through what the RFI language would be. Pathfinders were held at the Missile Defense Agency, the Defense Logistics Agency and the U.S. Navy. The process included working with contractors to understand what information DoD needed to implement successfully, working through a mock RFP, conducing post-award conferences, and adjudicating a dispute resolution challenge.
CMMC Pilot Contracts – In December, the DoD announced their initial group of pilot CMMC contracts, each of which will have CMMC requirements that span from Level 1 to Level 3 under the CMMC five-tier structure. A handful of additional pilots are expected to be announced. December is also when the new Defense Federal Acquisition Regulation Supplement (DFARS) interim rule went into effect. As part of the requirements vendors must show how they comply with the standards outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Vendors will register their self-assessments and DoD will then follow up with CMMC. DoD sought industry comments in the month before the interim rule took effect to help shape the final rule, which is anticipated this summer. Of particular interest is how the DoD can help drive cybersecurity at levels 4 and 5 at companies. Since DoD has said all along that they want to include CMMC in new contracts (as opposed to adding CMMC mid-contract or to option years on existing contracts) the timing of these acquisitions is part of the challenge. While the current pilots are anticipated to be awarded in FY 2021, it is possible the timelines could slip. The next round of pilots will most likely be announced in the new fiscal year, it seems, so companies that are not part of the supply chain of the first set of pilots likely have some time to prepare.
Cybersecurity Assessors – During their January Town Hall, the CMMC Accreditation Body (CMMC AB) reported that they currently have approved 100 provisional assessors that are cleared to assess companies at CMMC Level 1. These 100 provisional assessors are spread across 53 CMMC third-party assessment organizations (C3PAO), with more than 350 additional C3PAOs having pending applications. One of the next priorities is to get assessors and C3PAOs prepared for Level 3 assessments. For contractors that initially self-certified under NIST SP 800-171 – and now the interim DFAR rule – as having certain cybersecurity practices in place, the Defense Contract Management Agency’s (CDMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) team has been performing DIBCAC assessments that are expected to map to various CMMC levels. The idea here being to limit the number and cost of assessments needed for firms that pass muster. Formalizing and approving that mapping will help move CMMC down the implementation timeline.
Reciprocity With Existing Standards – The mapping of DIBCAC assessments to CMMC levels is just one area where certification reciprocity comes into play. Federal News Network reported that DoD is close to finalizing a DIBCAC assessment reciprocity memo, according to Stacy Bostjanick, the director of CMMC policy in the Office of the Under Secretary of Defense for Acquisition and Sustainment (USD(A&S)). Here, reciprocity would apply to contractors that scored 70 or above on a DIBCAC assessment. Then CMMC assessments would only need to be performed in the areas where they fell short, plus the additional 20 requirements that CMMC adds to the 800-171. Bostjanick also said that members from the CMMC-AB, the DIBCAC and the General Services Administration (GSA) are working on a reciprocity agreement between FedRAMP and CMMC to align the respective component levels between each program.
DoD and Beyond . . . But How or When?
As many have anticipated, the interest among federal civilian departments and agencies in leveraging CMMC to increase their contractor supply chain security would follow, once the program got moving. In recent months we have seen news reports that GSA is considering including CMMC on its Streamlined Technology Acquisition Resource for Services (STARS III) small business government-wide contract and that the DoD is working with the Department of Homeland Security (DHS) to add CMMC to DHS contracts. However, while there is surely interest and even some language that may be included in solicitation documents, formal adoption of CMMC by civilian agencies (and their contractor base) will likely prove challenging while the DoD incrementally rolls out and finalizes the program over the next five years.
The timing may be highly fluid, but the sense is strong that CMMC, or some of its core elements, will spread across federal contracting in the coming years. In a recent press interview, former CMMC AB member Chris Golden said he believes CMMC will certainly go beyond the DoD in some form. “They understand that they’re losing data, that they’re losing capability through cyber breaches in their supply chain, just like DoD is, and they need to do something about it,” Golden said. “I think you’ll see some kind of coordination step between the major entities in government, sort of whole of government approach, but as to when or how or who, I have no insights into that.”