Inside Cybersecurity

December 7, 2021

Daily News

CMMC internal review moves forward with undisclosed recommendations pending before Pentagon leaders

By Sara Friedman / October 19, 2021

An examination of the Pentagon’s cyber certification program is moving into a new phase with the internal review of the initiative complete, according to sources, who say recommendations are currently under consideration by DOD leadership.

The Defense Department began an internal review of its Cybersecurity Maturity Model Certification program in March under an order by Defense Deputy Secretary Kathleen Hicks. Jesse Salazar, deputy assistant secretary of dense for industrial policy, outlined three major goals for the review in June.

Salazar said the review is “being led by a cross-functional team and senior leaders across the department. We are taking a broad look at DIB cybersecurity beyond CMMC accreditation that includes cyber threat information sharing programs, cybersecurity as a service programs, education and training programs and we see great value in dedicating resources to help small companies improve cyber readiness.”

Recommendations from the DOD group were recently sent to Hicks, according to two stakeholders in the CMMC process. Pentagon spokeswoman Jessica Maxwell told Inside Cybersecurity in September, “We anticipate the review to be completed in late 2021, at which point the Department will communicate any anticipated changes to the CMMC program to industry and other stakeholders.”

DOD officials did not immediately respond to a request for comment on the review’s current status.

One area of concern is the impact of the CMMC program on small business and ways to reduce cost. The Defense Department estimates 74 percent of contractors are small business and 60 percent of those entities will need a CMMC level one certification in the CMMC interim final rule.

The level one certification is for federal contract information and has 17 practices. Protecting controlled unclassified information is the focus for level three and there are 130 controls, largely based on NIST Special Publication 800-171.

Leaders from the House Small Business oversight subcommittee are working to get an amendment into the fiscal 2022 National Defense Authorization Act that would direct the Pentagon to assess the small business impacts of the CMMC program.

Part of the challenge is how acquisition officials will define CUI in their contracts. The CMMC program was created to address the problem and make companies more aware of how and when they submit data to their subcontractors.

Industry urged DOD in September to “standardize and improve the marking practices for the Department’s CUI requiring protection and dissemination instructions” in a multi-association letter to senior officials.

The letter said, “For the CUI program to work, it is imperative that all DoD agencies involved in all acquisition contracts clearly, accurately, and correctly identify, define, and describe the CUI requiring protection. This is particularly true whenever the Department decides to leave the identification and definition of CUI up to the contractor.”

“In these cases, the Department must still provide detailed guidance regarding the type of information to be protected and should continue to collaborate with contractors and subcontractors that generate DoD CUI,” the letter said. “Without this critical information being defined to industry, there is a great risk that industry will not correctly identify or protect what the DoD would ultimately want to be protected. It does not serve anyone’s interests to leave the boundaries of CUI in permanent doubt.”

The CMMC program moves the defense industrial base from the self-attestation mode against 800-171 to needing a certification from a certified third party assessment organization authorized by the CMMC Accreditation Body.

One way to address the issue is to allow companies to “self-attest” their compliance with level one, one source told Inside Cybersecurity, and requiring companies to submit those scores to DOD.

The source said, “While it is important to protect federal contract information, that information is not as important as CUI and many of the companies at level one simply don’t have the means or the will to prepare for an assessment.” The source added “coming up with enough assessors” to complete the assessments is a “daunting task” and might not be “realistic” while “having an assessment mechanism for level one that is effective and affordable is itself a challenge.”

There are currently 115 provisional assessors approved by the CMMC-AB and five C3PAOs authorized. However, official assessments have not started due to challenges setting up a DOD portal for the C3PAOs to submit their assessments and other necessary documentation.

However, another stakeholder in the CMMC ecosystem said making the change would have “large implications for all of the people who have invested in the CMMC ecosystem, who have been establishing processes and the business model of doing auditing and providing services with the presumption of how big the market would be for that.”

DOD’s current approach to small business has focused on providing resources to help companies reach compliance such as Project Spectrum, which is managed by DOD’s Office of Small Business Programs. The first source said, “Posting more training resources doesn’t really solve the problem of money, people and tools that besets the small businesses.”

The CMMC interim final rule went into effect on Nov. 30, 2020 and industry is eagerly awaiting the release of the final rule. There are ongoing discussions in the Defense Department on whether a new proposed rulemaking should be issued instead and further delay the start of the CMMC program, the source said.

In the multi-association letter, industry groups said they support the release of a proposed rule if “significant changes” are made to the program and they encouraged “DoD to conduct virtual public hearings if the Department contemplates material changes to the present structure and methods.”

Alternative approaches

Industry has proposed other ways the alleviate some of the cost for small business.

The National Defense Industrial Association wants DOD to consider how it can help contractors achieve compliance through collaborations with cloud service providers.

“CMMC should take advantage of the inherent capabilities of the cloud where it makes sense,” NDIA wrote in a Sept. 21 white paper. “This process can include collaborating with CSPs to deploy preconfigured and CMMC-compliant cloud environments for small businesses to easily adopt. DoD could also provide a government-furnished environment for small businesses, new entrants, and so on.”

NDIA said, “Importantly, this step would include accounting for the unique attributes and requirements of IT versus OT. It would also enable DoD to coordinate the adoption of evolving cybersecurity methods consistent with the President’s Executive Order on Improving the Nation’s Cybersecurity.”

Microsoft and Amazon Web Services are working on ways to support contractors who need CMMC certifications through shared responsibility models with managed security service providers. Microsoft’s Richard Wakeman told Inside Cybersecurity, his company wants information from DOD on reciprocity with other government standards including the General Services Administration’s FedRAMP program.

One goal of the CMMC internal review is to “clarify cybersecurity regulatory policy and contracting requirements,” DOD’s Salazar said in June.

He said, “The department’s requirements are complex and challenging to navigate. We want to deconflict and streamline them in order to add clarity.”

The multi-association letter said, “We urge the Department to harmonize CMMC requirements with other federal cybersecurity directives to support the adoption of a holistic risk management strategy. To that end, we encourage DoD to issue authoritative guidance on reciprocity with existing certifications and to harmonize not-yet implemented security requirements as appropriate. We are most concerned about existing authorizations issued by FedRAMP and the DoD SRG Impact Level Assessments. These programs implement many of the same security controls from NIST SP 800-171 and will leverage the new NIST SP 800-53 Rev.5 controls as appropriate for their respective implementation.” -- Sara Friedman (sfriedman@iwpnews.com)