A landmark effort by the Department of Defense to shore up cybersecurity across its 300,000+ contractor base has managed to stay mostly on schedule despite the coronavirus pandemic. Let's take a closer look at the progress made over the past few months.
Pentagon official Katie Arrington, the acquisition office's CISO and public face of the DoD's effort, has maintained engagement with Defense Industrial Base (DIB) stakeholders via online conferences to provide continual updates and clarifications.
The Cybersecurity Maturity Model Certification (CMMC) program will require all Department of Defense contractors to undergo assessment and third-party certification of their cybersecurity posture to be awarded a DoD contract. The tiered certification program includes five levels corresponding to the sensitivity of Controlled Unclassified Information (CUI) a contractor will handle under a particular contract.
Accreditation body in place, assessor certification underway
Rolling out the requirements will be a slow and measured process. DoD has handpicked the first ten Requests For Information (RFIs) that will include CMMC requirements, scheduled to appear at the end of July or early August. The Requests For Proposals (RFPs) will follow later this year, and the first contract awards are expected in early 2021.
The plan now is to have CMMC requirements in all new RFIs by 2026. Since DoD will not modify existing contracts to insert CMMC requirements (outside of extenuating circumstances), the five-year timeline accounts for the general five-year contract cycle (one base plus four option years).
The CMMC Accreditation Body (CMMC-AB), a non-profit organization responsible for overseeing the third-party assessment enterprise, is now up and running.
The CMMC-AB has begun training C3PAOs, Certified Third Party Assessor Organizations, who will be certified to manage the contractor assessment process. DIB companies will contract with a C3PAO to conduct their assessment and certification. Certification will be an allowable cost built into the DoD contract.
Civilian agencies take note
Other federal agencies are likely to adopt similar certification models for their contractors. The Department of Homeland Security will incorporate some measures in its upcoming supply chain security guidance. A form of FedRAMP reciprocity is also under discussion, and CMMC is already being referenced in civilian agency proposals.
Illustration: CMMC Seal
In a recent RFP for its government-wide IT acquisition program, the General Services Administration recommended contractors prepare for CMMC certification in anticipation of eventual inclusion of CMMC-like requirements in the civilian acquisition process.
CMMC's official expansion beyond DoD to civilian contracts will require some additional guidance (and time). GSA's mention of CMMC is undoubtedly another sign, however, that CMMC's influence continues to grow, and it's not just defense contractors who should be tracking the issue.
Congressional Oversight: "Unanswered Questions"
Not surprisingly, lawmakers on Capitol Hill have been keeping a close eye on the program's progress. Through the annual National Defense Authorization Act (NDAA), the House and Senate Armed Services Committees have included provisions in their respective bills that address different aspects of CMMC. Both bills await floor action in the second half of July.
The House's version of the FY21 NDAA, approved by the Armed Services Committee on July 1, seeks answers to "unanswered questions" about the program's implementation. The bill directs DoD to provide the following by January 15, 2021:
- the estimated annual costs to the Department to implement CMMC and the estimated annual costs to the Department for CMMC expenses that will be considered an allowable cost on a government contract for each of fiscal years 2020 through 2024;
- the estimated costs for compliance and certification for each category of small, medium-sized, and large businesses, by CMMC tier;
- the status of Department efforts to revise regulations, issues related to current contract clauses, the timelines proposed for each step in the regulatory process, and the planned applicability to contracts once a final regulation is implemented;
- the efforts of the Department to incorporate CMMC training into the Department's and Defense Acquisition University's training requirements;
- the efforts of the Department to address issues surrounding exclusivity of the standard and the certification across the enterprise;
- a discussion of the roles, responsibilities, and liabilities for the prime contractors and subcontractors with regard to the assigning of the CMMC tier;
- a discussion of the plan for the CMMC Accreditation Board to engage and train the appropriate resources to conduct certifications for the defense industrial base as it pertains to the timelines included in the Department's rollout of CMMC;
- a plan for the Department to obtain and retain the CMMC Accreditation Board as the exclusive provider of CMMC certifications;
- a discussion of how the CMMC Accreditation Board will prioritize the requests for CMMC certification and the factors used to determine priority, if any, specifically with regard to company size, sole source contracting, and the timelines included in the Department's rollout of CMMC.
During the bill's markup, the committee approved an amendment addressing potential conflicts of interest raised by the program. In addition to praising the effort to secure industry networks, the amendment directed the Department of Defense to provide more information on how it planned to protect the proprietary information third-party auditors will gather from contractors during their assessments.
The Senate bill also addresses the challenges CMMC presents to small businesses and seeks additional information on how DoD can help alleviate the burden. There are also CMMC-related provisions that range from cyber hygiene to cyber threat hunting.
In an interesting turn, the committee expressed concern that DoD could be holding contractors to a higher cybersecurity standard than DoD components. Citing a recent GAO report which found DoD had not fully implemented its own cyber hygiene practices, the committee called on the DoD CIO to assess each component against CMMC criteria.
On the subject of cyber threats, a provision addresses DIB participation in a threat intelligence sharing program. The committee expresses concern that CMMC levels 1 through 3 do not require a threat hunting capability and about the impact that will have.
Outlook: Encouraging Resilience
One of the final steps before the certification program becomes official is a change to the Defense Federal Acquisition Regulation (DFAR), which requires a public hearing. Delayed due to coronavirus safety concerns, the hearing will likely take place in September.
While most subcontractors will only require lower levels of certification and basic cyber hygiene can go a long way towards satisfying those criteria, the certification process will still be a challenge for small businesses. As part of its oversight responsibilities, Congress recognized those concerns and called for DoD to clarify and provide some relief.
I've followed the effort from its early drafts (see here and here) and find it impressive how well the program has advanced. It's not often that a major DoD policy shift with a timeline as aggressive as the CMMC's stays on target under normal circumstances. That it is still on track during the pandemic shows the resilience of all stakeholders and is indicative of their willingness to address the many difficulties that lay ahead.