Two leading defense associations are asking questions about the interim rule published today by the Defense Department establishing its cyber certification program, in terms of the rollout and what it means for contractors.
The interim rule to implement the Pentagon’s Cybersecurity Maturity Model Certification program sets up cybersecurity requirements that contractors will need to meet to do business with DOD, through the National Institute of Standards and Technology Special Publication 800-171 and the CMMC Framework. The rule establishes a 60-day public comment period. Immediately after the comment period ends, the rule will become effective.
The rule was released on public inspection in the Federal Register Monday and published in today’s edition.
The Pentagon initially planned to release a notice of proposed rulemaking in the spring and hold a public hearing on the rule. Defense Department acquisition CISO Katie Arrington said in May the public hearing was held up due to the COVID-19 pandemic and figuring out how to hold a public hearing virtually.
The National Defense Industrial Association on Monday criticized the Defense Department for changing how it will implement changes needed for CMMC.
“While we understand the disruptions caused by the COVID-19 crisis, the use of the interim rule format limits the ability for DOD to incorporate valuable feedback from the DIB prior to the final rule taking effect,” Corbin Evans, NDIA’s principal director for strategic programs, told Inside Cybersecurity. “This rulemaking procedure also eliminates the ability for a public meeting to be conducted on the rule prior to implementation, which would have been a valuable opportunity for government to hear the concerns and feedback from industry prior to this rule moving forward.”
In the rule, the Defense Department decided to add three new clauses to the Defense Federal Acquisition Regulation Supplement (DFARS) instead of making changes to the current standard DFARS clause 252.204-7012, which Jason Timm, assistant vice president for national security policy at the Aerospace Industries Association, sees as a positive.
“While there is a lot to unpack in [the rule], the basics of 7019, 7020 and 7021 provide the information that we have been looking for,” Timm told Inside Cybersecurity. “I think there is sufficient time for us to comment on it. We are used to a certain degree reacting to interim rules. While this was supposed to be a proposed rule out of [OMB’s Office of Information and Regulatory Affairs], it became an interim rule and we got that information out to our members as soon as possible.”
Timm said AIA is appreciative of the five-year rollout for the CMMC program with language implementing CMMC to be rolled out in all contracts gradually by Oct. 1, 2025.
The rule says, “Until September 30, 2025, the clause at 252.204-7021, Cybersecurity Maturity Model Certification Requirements, is prescribed for use in solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, excluding acquisitions exclusively for COTS items, if the requirement document or statement of work requires a contractor to have a specific CMMC level. In order to implement the phased rollout of CMMC, inclusion of a CMMC requirement in a solicitation during this time period must be approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment.”
Timm called the approval from Office of the Undersecretary of Defense for Acquisition and Sustainment a sign from the Pentagon that it doesn’t intend to “overload industry or the CMMC Accreditation Body in being able to issue certifications and industry being able to schedule their assessments. It helps to provide a more structured flow over those five years for getting assessments accomplished and companies certified.”
The Information Technology Industry Council would have preferred the rule come out “as a draft proposed rule, as opposed to an interim rule taking effect in 60 days,” Gordon Bitko, senior vice president of policy at ITI, told Inside Cybersecurity.
“Our industry supports the need to accomplish [the requirements behind CMMC] correctly--to that end, we feel it would have been better to coordinate with industry and other stakeholders in advance,” Bitko said. “The costs and consequences associated with a certification program of this scale all point to the need to put in time up front to get this right instead of rushing.”
ITI and AIA also expressed concerns about reciprocity of the CMMC program with other industry standards such as FedRAMP under the General Services Administration.
“The rule does not address reciprocity for companies that are already FedRAMP certified, and since FedRAMP relies on the same underlying security standard (NIST SP 800-171) as CMMC Level 3 and requires a significant financial and time investment from contractors, not having reciprocity will create a duplication of work and increase costs without a corresponding security benefit,” Bitko said.
When it comes to reciprocity, the rule says, “The NIST SP 800- 171 DoD Assessment and CMMC assessments will not duplicate efforts from each assessment, or any other DoD assessment, except for rare circumstances when a re-assessment may be necessary, such as, but not limited to, when cybersecurity risks, threats, or awareness have changed, requiring a re-assessment to ensure current compliance.”
Timm said AIA hoped for a “more informative description on reciprocity would be provided” the rule, but it appreciates the language explaining a relationship between the assessments that the Defense Contract Management Agency has already completed on 800-171 and the new CMMC requirements. -- Sara Friedman (sfriedman@iwpnews.com)