There’s a chance we should title this article – The Long Year Until CMMC 2024, since all signs are pointing that there may be more delays before we can see any type of final ruling. The Pentagon has determined that new rules need to be added to the CMMC guidelines and due to this proposed change, it is likely that a shift date for full implantation is looking like the year 2024.
Proposed Rule for CMMC
According to Reginfo.gov, it shows that a Proposed Rule (which was previously labeled as “New Rule”) has been updated by Agency DOD/OS tilted, “Cybersecurity Maturity Model Certification (CMMC) Program. “DOD is proposing to implement the Cybersecurity Maturity Model Certification Framework, to help assess a Defense Industrial Base contractor’s compliance with and implementation of cybersecurity requirements to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).”
The DOD has labeled this proposed rule as priority: Economically Significant. The theft of intellectual property according to Reginfo reports that FCI and CUI estimates malicious cyber activity cost to the U.S. economy between $57 billion and $109 billion in 2016. Over a 10-year period, that burden would equate to an estimated $570 billion to $1.09 trillion dollars in costs. It is also worth mentioning that the risk increases based on DoD supply chain being undercut and the impact that would have on national security. I’d like to point out that while these risks are incredibly obvious, it truly doesn’t seem to light a fire to expedite CMMC into existence.
New DoD Cyber requirements for the DIB
I had the opportunity to chat again with Vincent Scott, CEO of Defense Cybersecurity Group, a cyber consulting company focused on the new DoD Cyber requirements for the DIB, to see where he stood on this rule update/delay. “I would argue that the potential delay is not a result of administration strategy, but rather a combination of internal bureaucracy politics and legitimate concerns about the impact on business and how that impact might reflect on the senior officials involved. Because cyber security is nowhere in the decision-making process for selecting vendors, businesses do not want to pay for it. Essentially, in my view, the DoD is telling contracts that they really want cybersecurity and then paying them not to do cybersecurity through the contracting award process. Lower rates win, and if you pay for a very expensive cyber program, you competitively disadvantage yourself. It is no surprise to me the way the DIB is responding to those conflicting requirements.”
An article written by Fred Kaplan of Slate news, “When It Comes to Cybersecurity, the Biden Administration Is Getting Much More Aggressive.” I almost didn’t have to read the article to know that this was likely to be targeting private companies not DIB related. The overarching message of President Biden’s soon-to-be-approved policy [to protect private companies from malicious hackers] has me wondering if resources that were once focused on the public sector, DIB, and government entities are going to be switched to private stakeholders for monetary gain. I recognize the language within these policies discuss the switching capabilities from a defensive standpoint to an offensive attack mode, but what are we really saying?
CMMC Questions in 2023
Here are some questions to ask ourselves in 2023 in hopes of getting closer to a final checklist for CMMC.
- If CMMC is about safeguarding CUI and mandating necessary controls on the defensive, are we now ADDING to the construct that additional funding should be available and should switch to a counter-attack mode?
- Will we see that type of language used in CMMC? “What are you doing on the offensive? Show us….”
- If 2023 seems like too far of a stretch to have a finalized checklist, is the government looking to extend the inevitable into 2024?
Only time will tell, I suppose.
