The Defense Department’s acquisition office and its partners are in the process of adjudicating comments on an interim rule implementing their cyber certification program, which Pentagon leaders say will have an impact on the CMMC maturity model and assessment guides.
In an interview with Inside Cybersecurity, DOD acquisition CISO Katie Arrington and Stacy Bostjanick, who was recently promoted to acting director for supply chain risk management, spoke about what is next for the Cybersecurity Maturity Model Certification program.
The Pentagon released the most recent version of the CMMC maturity model last March while the interim rule was still in development.
Stacy Bostjanick, Acting Director, Supply Chain Risk Management, DOD
There is a plan to “update the assessment guides and the model as a result of the rulemaking and the comment adjudication,” Bostjanick said. The CMMC Accreditation Body and DIB Sector Coordinating Council are weighing in on potential changes, Bostjanick said, and DOD is also “adjudicating the comments from the public comment period.”
The Pentagon is also taking a look at changes made to National Institute of Standards and Technology Special Publication 800-172, which was released in its final form last week and is the basis for several controls in maturity levels four and five.
“Our plan for 4 and five was to be in sync with [172],” Bostjanick said, adding the publication will “have a bearing on where we go from here.”
Arrington said, “We created the CMMC model in 2019 and at that point what is now known as 172 was 171B and it was still evolving but because we were going through a DFAR rule change we had to lock the model in.” The Pentagon has always been “very cognizant of 172 and the enhanced security for the most critical systems,” Arrington said.
As work on the interim rule and model continues, the Pentagon has been working with the services and other elements at DOD on the pilot contracts for fiscal 2021.
Bostjanick said a contract solicitation from the Defense Health Agency’s Women, Infants and Children (WIC) Overseas Program and separate request for proposals on the Navy’s F/A-18 will be among the first pilots to have CMMC language.
“We are in the process of vetting the WIC program to make sure that it needs to be CMMC level three or CMMC level one. It will surely handle personally identifiable information which might be what pops it up to level three,” Bostjanick said.
Katie Arrington, CISO for Acquisition, DOD
The F/A-18 contract is for a “sole source contract” that will go to Boeing, Bostjanick said. Currently, the Pentagon’s CMM program office is “working with the program office for the F/A-18 come up with the correct RFP language and then we will sit down with their data to help them map out controlled unclassified information they have through the supply chain to make sure it is properly flowed down to the lower tiers.”
Arrington added, “The number of pilots is fluid. We have a meeting with GSA to talk with them on Thursday about a pilot that they might have. DHS has also indicated they might want to do a pilot with us.”
“As we sit down with these programs and vet them to make sure they are viable and good candidates for the first year of implementation,” Arrington said her office is making sure “our timelines match up and those kinds of things. Some of the ones that were originally proposed by the services have fallen off and new ones have been put on because of those interactions.”
There will also be an opportunity for the Biden administration to weigh in on some of the pilot contracts, which will need to be approved by the new Under Secretary of Defense for Acquisition and Sustainment, Arrington said. Stacy Cummings is currently performing the duties of the undersecretary and President Biden’s pick for the position has not been announced.
The Pentagon is also working with the CMMC Accreditation Body to get certified third party assessment organizations audited at maturity level three before they can start conducting their own assessments for contractors who want to compete for contracts.
Details of the relationship between DOD and the CMMC AB were recently revealed in a statement of work obtained by Inside Cybersecurity. Both parties worked on the contract over the course of eight months as they tested out different elements of the CMMC program through pathfinders with the Missile Defense Agency.
The pathfinder process involved breaking the model “down to see how CUI floats down, taking the contract and determining what it looks like with the new terminology and contract clauses, and asking them subs what level of CMMC” they thought they needed, Arrington said, and then DOD “coming back to determine what this is really looks like.” Arrington said the process also involved “doing pathfinder assessments on those gov contractors involved and the primes and doing tabletop exercises.”
Arrington said, “We have been very busy trying to create the right training and assessment guides for the assessors and also working through a multitude of issues such as what do you do if you disagree with your [assessment] result, getting that codified and in writing.”
When crafting the CMMC-AB contract, Arrington said, “Our job at DOD was to create the model with industry and academia and also to ensure industry would be well represented in their interactions with the AB and all of those associated” with the program.
“Dispute resolution” was part of the contract negotiations, Arrington said, as well as “time determining what ISO certifications we thought were needed and necessary to ensure industry’s best interests were taken into consideration and that it would be fair, honest and ethical.” -- Sara Friedman (sfriedman@iwpnews.com)