Last December, the United States Department of Defense (DoD) published a 60-day comment period for a proposed rule for the Cybersecurity Maturity Model Certification (CMMC) program. It revised certain aspects of the program to address public concerns in response to DoD’s initial vision for the CMMC 1.0 program, as originally published in September 2020.
When it was introduced, CMMC was a new regulation aimed to measure a company’s capabilities, readiness, and sophistication in the area of cybersecurity. While the framework included existing processes and protocols from standards such as NIST 800-171, it called for certification from Third Party Assessment Organizations (3PAOs).
Once the rule making is finalized, all government contractors working on defense-based contracts for the DoD will be required to achieve a CMMC certificate at a specified level, as determined by the type of data in which your organization comes in contact. Most companies that require a Level 2 certification as well as all companies that require a level 3 certification will require an audit from a CMMC-Certified Third-Party Assessment Organization (C3PAO).
According to the DoD’s chief information officer, “The CMMC Accreditation Body (The Cyber AB) will accredit CMMC Third Party Assessment Organizations (C3PAOs) and the CMMC Assessors and Instructors Certification Organization (CAICO). Accredited C3PAOs will be listed on The Cyber AB Marketplace. The DIB company will be fully responsible for obtaining the needed assessment and certification, to include coordinating and planning the CMMC assessment. After the completion of the CMMC assessment, the C3PAO will upload the assessment report into CMMC EMASS, which DoD can access.”
The Coming Phased Rollout
On Thursday, the Pentagon released a Federal Register notice that explained that the CMMC rules will see a phased rollout once it becomes final, which is expected to happen early next year.
“This proposed DFARS rule also partially implements a section of the National Defense Authorization Act for Fiscal Year 2020 that directed the Secretary of Defense to develop a consistent, comprehensive framework to enhance cybersecurity for the U.S. defense industrial base,” wrote the DoD’s Defense Acquisition Regulations System.
“CMMC 2.0 provides a framework for assessing contractor implementation of cybersecurity requirements and enhancing the protection of unclassified information within the DoD supply chain,” the notice added.
The new rule will require contractors to “only transmit data on information systems that process, store, or transmit
FCI (Federal contract information) or CUI (controlled unclassified information) during contract performance that has certification at the CMMC level required by the contract.” It will also require contractors to notify the contracting officer if there are any lapses or changes in CMMC certification levels, notably those that affect the requirements for information security during contract performance.
“The clause will also include language identifying the CMMC level required by the contract,” the register further noted.
With the comment period closed, the rule will be sent to Congress for approval, although it is unlikely that lawmakers would reject it. The deadline for the rule to go to Capitol Hill is mid-October, with it becoming final by the end of December.
Streamlining Cyber Certification
Over the three-year rollout, the number of contractors that handle sensitive data could increase to 35%, and those companies will need to obtain the “level two” CMMC third-party certification. The rule update and rollout should help those firms be ready – yet more could still be done.
“An upgraded framework has been in the works for a while, so the latest rule proposal is a logical next step in their efforts to streamline the cyber certification,” explained Dr. Jim Purtilo, associate professor of computer science at the University of Maryland.
The rollout was intended to minimize the financial impacts to the industrial base, while also the disruption to the DoD supply chain.
“There ought to be a faster way to bake actionable information into security improvements,” Putilo told ClearanceJobs.
“What seems to be missing is a measurement of practices to close the loop on their efficacy,” added Purtilo. “The original framework has been in place long enough for us to tell how compliance at one or another level correlates with observed value. Does spending on practices to meet a higher level of certification correlate with fewer incidents? Does it win fewer data spills and better availability of services? I don’t see much research speaking to the ROI (return on investment) which would certainly help decision-makers.”
