In September 2020, the DoD issued an “interim rule” in regard to implementing CMMC (Cybersecurity Maturity Model Certification), meaning the rule took effect immediately versus a more commonly used “proposed rule” that has a future implementation date. However, the interim rule also came with a 60-day comment period to allow the IT industry affected by the rule time to comment on some of their concerns with the rule.
To get an idea of some of the concerns submitted during the comment period, one IT industry giant suggested:
- Enhancing the clarity about CMMC’s scope, applicability, and implementation timeline to include:
- Flow-down requirements (especially in regard to subcontractors that fall under Prime contractors)
- Consistency in procurement requirements
- Scope of coverage
- Publishing further guidance and clarification on Certification and Recertification including:
- Complex environment certification
- Streamlining federal cybersecurity requirements
- Ensuring no new risks are created in the process
Other companies requested clearer guidance on the reciprocity between CMMC and other federal IT compliance programs they fall under, such as FedRAMP (Federal Risk and Authorization Management Program).
The trade group ITI wrote in its comments, “As the Department moves forward with the CMMC, we believe that it is important to get its implementation right by developing and implementing those cybersecurity protocols that are necessary, while simultaneously guarding against actions and regulations that do not add security and result in harm to industry’s ability to innovate and partner with DoD.”
NIST’s SP800-172
And throw into the mix the updated IT protective guidance published in the new Special Publication SP800-172 from NIST, a response to the SolarWinds incident – an alleged Russia-backed hack that compromised computer network servers and pushed out malware to federal agencies, major corporations and other organizations tied to those servers – and it is easy to see the concern companies have of being able to meet all of the security requirements coming down from several different entities.
In the end, based on the submitted interim rule comments and the new SP800-172, more CMMC changes from the DoD are expected in the near future and should be reflected in updated CMMC assessment guide – the evaluation standard used by AB assessors.
CMMC will need to split
In the original DoD agreement, the CMMC would house both the Accreditation Body (AB) and the CMMC Assessors and Instructors Certification Organization (CAICO). However, to meet the requirements of ISO 17011 referenced in the Statement of Work (SOW), the CMMC-AB cannot control both the training of assessors and the accreditation process as it could potentially create a conflict of interest.
The CMMC-AB had previously stated that their target date for their certification and training framework would be completed in September 2021. However, now to comply with the ISO, the AB and CAICO must split into two separate business entities. The SOW went on to say that the split must be completed NLT October 31, 2022 giving the CMMC an additional year split off the CIACO into a separate business entity and adjust the AB to a single entity.
Meanwhile on the AB side, the long process of accrediting enough assessors to certify the approximately 300,000 DIB contractors began five months ago. These “provisional assessors” as they are called, will perform assessments during the first year of the CMMC program while it undergoes further refinement. The current goal is to have 360 individuals trained by the end of the 2021 fiscal year and 1,500 in fiscal 2022.
DoD’s CMMC project will be a constantly evolving initiative and must do so if it is to be proactive to the expected future rise both in frequency and ferocity of large-scale compromise attempts by our adversaries. DoD contractors’ computer network systems need to prevent the acquisition of information that could at best degrade the DoD’s ability to compete globally or at the worst, jeopardize our nation’s security.