The Defense Department is exploring how it can offer incentives to contractors who adopt standards from the Cybersecurity Maturity Model Certification program before the official rollout begins, according to Pentagon official Stacy Bostjanick.
The Pentagon announced major changes to its CMMC program on Nov. 4 and halted CMMC pilot efforts while a new rulemaking process gets underway. The process is expected to take between nine to 24 months and the Pentagon still wants contractors to act today to reach compliance with CMMC rather than waiting for the program to go fully go into effect.
Bostjanick explained two options under consideration by DOD officials, at a training conference Wednesday hosted by the Coalition for Government Procurement. Bostjanick is the director of supply chain management in the Office of the Under Secretary of Defense for Acquisition and Sustainment.
The first is allowing companies that “demonstrate their networks are secure” to “possibly garner a higher profit margin,” Bostjanick said.
“Another area we are looking at is increasing the use of evaluation criteria for contracts where it doesn’t necessarily need to be a CMMC certification, but we will assess people’s network security as part of a source selection evaluation, so it would still be a factor in garnering an award prior to CMMC becoming effective through rulemaking,” Bostjanick said.
Part of the rationale behind the incentives is to encourage contractors to sign up for an assessment by an authorized certified third party assessment organization that has been approved by the CMMC Accreditation Body and the Pentagon. There are currently five C3PAOs on the CMMC-AB’s Marketplace fully approved to conduct assessments.
Bostjanick participated in a panel at the CGP conference featuring CMMC program director Buddy Dees, John Ellis of the Defense Contract Management Agency, and contracting attorney Robert Metzger.
One of the major differences under the revamped program, known as CMMC 2.0, is that DOD will allow contractors to submit a plan of action and milestones for certain controls that they are unable to meet during their CMMC assessments.
Dees elaborated on why the Defense Department decided to allow POA&Ms, rather than relying on 100 percent compliance during assessment with CMMC requirements.
Dees said there are “currently two extremes.” One is the current standard from DFARS Clause 252.204-7012, which Dees said allows POA&Ms but does not have a mechanism for closing them out “in a certain amount of time” or a policy for validating the issues have been resolved.
The other extreme is barring any POA&Ms, Dees said, and DOD determined that would severely restrict the number of companies that could obtain a CMMC certification.
As part of the CMMC internal review process, DCMA’s Defense Industrial Base Cybersecurity Assessment Center analyzed how many C3PAOs were able to obtain a certification under the requirements for CMMC level three before it was altered.
Dees said the DIBCAC found 75 percent of the C3PAOs needed to have a POA&M and only 25 did not. He called that statistic “eye opening” because while DOD “definitely” wants contractors to get to a “perfect score,” there were concerns about making CMMC “so rigid” that DOD “cut out three fourths of our supply chain.”
Dees said they found “that didn’t make sense. It opened the argument for ‘we need to build in some flexibility’ and we also wanted to protect ourselves against some of the problems we had for the DFARS 7012 clause.”
The DIBCAC data showed it took companies “over a year” to close out their POA&Ms, Dees said, and the internal review tiger team decided that was not acceptable.
Dees said, “What we want to do is put some time bounds on it. We are currently looking at approximately 180 days after contract award. We think that seems reasonable to allow a company to get their POA&M items closed.” The 180-day requirement would not apply to level three of CMMC 2.0.
The Defense Department is working on a “threshold score” that a contractor must meet based on the 110 controls in CMMC level two, Dees said, and they are using the DIBCAC’s NIST 800-171 DoD Methodology as a guide to start determining what controls are most important. -- Sara Friedman (sfriedman@iwpnews.com)