Inside Cybersecurity

January 17, 2021

Daily News

Industry groups weigh in on CMMC costs, guidelines for assessment as Pentagon interim rule takes effect

December 4, 2020

Industry groups across a wide range of sectors are asking the Defense Department to provide more details on how its new cyber certification program will impact government contractors.

An interim rule establishing DOD’s Cybersecurity Maturity Model Certification program and setting up new requirements for defense contractors under National Institute of Standards and Technology Special Publication 800-171 went into effect on Monday.

The Pentagon this week publicly released industry comments on the rule, addressing several key concerns including costs for compliance and the need for consistent assessment standards for the defense industrial base.

The U.S. Chamber of Commerce, which represents company interests across the government sector, emphasized how “DoD’s stated ‘crawl, walk, run’ approach to rolling out the CMMC, which will become the beating heart of the rulemaking, is a sound way to proceed,” in its comments.

The Chamber said, “A dominant takeaway we have is that many contractors are working hard to understand what the IR demands of them, including executing near-term requirements (e.g., completing the basic self-assessment pursuant to DFARS clause 252.204-7012) and wrestling with a number of questions that the IR does not appear to fully address.”

The Pentagon estimates 300,000 contractors in the DIB will need to get certified under CMMC by Oct. 1, 2025. Inside Cybersecurity looked into some of the issues raised by stakeholders, by sector based on their responses to the rule.

Contractors across the federal government

Two associations representing companies that do business with both DOD and civilian agencies pointed out potential pitfalls with the adaptability of the CMMC framework and supply-and-demand complications with assessments.

“It remains unclear how potential innovations would be incorporated into future revisions of the CMMC,” the Professional Services Council wrote to DOD. “For CMMC to be an effective tool for securing the industrial base, it will need to be updated in a timely fashion to reflect new technologies made available in the marketplace as well as changes to the ‘threat’ and the methods used by our adversaries against our networks.”

The Coalition for Government Procurement questioned the volume of provisional assessors trained and approved by the CMMC Accreditation Body to complete assessments for CMMC levels one through three, saying “the numbers of such Provisional Assessors are small.”

“For CMMC to assess even a small fraction of companies who may need a CMMC Level 3 certificate, much less the very much greater number of companies who now are subject to CMMC Level 1, there must be an enormous increase in the number of trained and accredited assessors and C3PAOs,” the coalition said.

Telecom industry questions commercial-off-the-shelf exemptions

USTelecom and CTIA-The Wireless Association want DOD to provide more guidance around how a COTS carveout in the interim rule will apply to telecom companies that provide communications services to the military and the Pentagon’s fourth estate.

“Unless a contract provides a specialized service that is specific to DoD’s unique national security needs, basic commercial voice and data transport services should be treated as COTS,” USTelecom said in its filing. “The CMMC’s certification requirements are generally intended for security assurance across all of DoD’s thousands of contractors; this is not necessary for providers of commercial telecom service, who…have been world leaders and government partners in communications security for decades.”

Supply chain regulations enforced by the Federal Communications Commission and other agencies need to be taken into consideration for the CMMC program, according to CTIA’s filing.

“Telecom and data service providers, including CTIA’s members, participate in the federal procurement process across government missions as prime contractors and subcontractors,” the wireless association said. “Due to the nature of the services they provide, they are also regulated by independent agencies such as the Federal Communications Commission (‘FCC’). This regulatory oversight makes it imperative that any new security obligations be harmonized with other telecom-specific requirements.”

Accreditation bodies provide oversight advice

HITRUST and ANSI National Accreditation Board (ANAB) shared lessons learned to improve the integrity and trust among the Pentagon, CMMC AB, assessors and companies seeking an audit.

“The rule does not clarify whether the CMMC-AB is required to conduct any meaningful quality assurance (QA) review of the work of CMMC Third-Party Assessment Organizations (C3PAOs),” HITRUST wrote in its filing. “Further QA requirements should be outlined and clarified for the C3PAOs to meet and the AB to measure their performance.”

ANAB said getting the CMMC AB to join either the International Accreditation Forum (IAF) or International Laboratory Accreditation Cooperation (ILAC) would help the body work to achieve the “various levels of rigor that together make up the competence, credibility, and integrity necessary to achieve the intended results for the marketplace.”

“Many programs within the third-party accredited conformity assessment industry are oversighted (and owned) by either government entities or industry groups,” ANAB asserted.

Raytheon responds

The large prime contractor raised a number of issues, including how to determine what data is considered controlled unclassified information, resolving disputes over certified third party assessment organization results, and the flow down of CMMC requirements from primes to their subcontractors.

Raytheon said, “The rule requires that contractors know which CMMC level is ‘appropriate for the information being flowed to the subcontractor’ and verify that the subcontractor is appropriately certified. RTX recommends that DoD not only specify the CMMC level required for contract award, but also specify the CMMC level required for subcontract award and/or performance. While DoD has indicated that contractors handling CUI will need a Level 3 certification, we note again the continued industry confusion regarding identification of CUI/CDI, and thus recommend that DoD provide clear guidance on certification level requirements for subcontractors.”

Tech associations ask for answers on CMMC reciprocity

Depending on the type of product or service, DoD vendors may already be subject to assessment, certification, or direction under a number of existing initiatives across DOD and the Federal Government,” BSA-The Software Alliance wrote to the Pentagon, referring to the General Service Administration’s FedRAMP program, DoD’s Cloud Computing Security Requirements Guide (SRG) and audits from the Defense Contract Management Agency.

“Moreover, many vendors may obtain certifications against internationally recognized standards that attest to security controls covered by the CMMC,” BSA said. “It is unclear how CMMC certification, above and beyond these existing obligations, would improve the Department’s confidence in the security practices of such vendors.”

The Internet Association added the Committee on National Security Systems (CNSS) Instruction No. 12533 (CNSSI 12533), ISO/IEC 27000, ISA/IEC-62443, and a variety of the DoD’s Security Technical Implementation Guides (STIG) to the mix of standards the Pentagon needs to consider when establishing reciprocity, while also strongly criticizing the relationship CMMC-AB has with industry.

“In order to ensure the proper administration of a program that requires on-site visits and access to some of the most sensitive information about how a contractor’s cybersecurity posture is maintained, the DoD must engage with the DIB in order to establish a [Program Management Office] within DoD,” the Internet Association said to the Pentagon.

In effect, the Internet Association said, “This will result in the CMMC-AB becoming a formal and professional body that has an appropriate level of funding and cleared personnel with the requisite oversight, as well as a body that incorporates and iterates on work that has already been performed by the variety of teams involved in developing and verifying compliance with existing standards across the Federal Government.”

CMMC implications for electric utility companies

The Edison Electric Institute responded to the interim rule on behalf of its members who operate electric grids on military installations. “As of December 2019, DoD had privatized 614 of 2,590 utility systems on military installations worldwide,” the utility association said in its comments.

“CUI is geared toward how federal agencies and departments define CUI,” EEI wrote. “This poses unique challenges for the electric sector. To address these challenges, further clarification of how DoD intends to identify CUI is needed. It is difficult for electric companies to identify information systems that are processing, storing or transmitting CUI. The electric sector needs the government to provide a clear and consistent definition of CUI to effectively implement the rule.”

The National Defense Industrial Association and Information Technology Industry Council also submitted comments to the Defense Department separately. They asked for additional guidance to be added to the DOD rule on the role, responsibilities and purpose of the CMMC AB. -- Sara Friedman (sfriedman@iwpnews.com)