The Defense Department’s policy for contractors to provide details on how they will address gaps in their CMMC assessments will include a threshold on requirements that “need to be” taken “seriously,” according to DOD’s John Ellis, who leads the office responsible for conducting CMMC assessor audits.
Allowing contractors to submit a plan of action and milestones explaining how they will achieve specific unmet requirements on CMMC controls is a new feature of DOD’s Cybersecurity Maturity Model Certification as part of a revamp to the program called “CMMC 2.0.”
Ellis said DOD’s policy has “not been firmed up 100 percent yet” for what POA&Ms they will allow, but he explained foundational principles that companies should be aware of.
“We are going to have some mandatory, you must do some of the requirements to meet POA&M applicability. We will establish a score that needs to be met,” Ellis said Wednesday during a webinar hosted by NeoSystems. Ellis leads DCMA’s Defense Industrial Base Cybersecurity Assessment Center, which started conducting voluntary company assessments for compliance with NIST Special Publication 800-171 in 2019.
The DIBCAC took additional responsibilities in 2021 to evaluate certified third party assessment organizations against CMMC level three. The DIBCAC is in the process of changing its methodology for CMMC 2.0, which consolidates the number of maturity levels from five to three and sets level two as the new standard for the DIBCAC’s C3PAO assessments.
From the “couple of 100 plus assessments we have conducted to date, about 75 percent of companies failed to meet those requirements,” Ellis said. “That’s a problem. It also takes them way too long to close those POA&M items, that’s a problem.”
Ellis said, “We are addressing that with CMMC 2.0” through “establishing some minimum requirements, thresholds that must be met to even be considered for a POA&M and then we are going to have a time limit.” The Defense Department is currently considering a 180-day requirement to fill gaps.
Ellis said DOD recognizes that “there is going to be teeth associated with this timeline because we need to companies to take this stuff seriously. One of the things that I need to make sure folks understand is while you have POA&Ms you have introduced a significant amount of risk into your environment.”
The DIBCAC is working with the services and DOD agencies to provide guidance for program offices on CMMC implementation and requirements that should go into their contracts. Ellis said one example is asking companies to provide “their system security plan” and giving guidance to contracting officials on how to “evaluate from their perspective” whether “a company has what it takes to take their requirements seriously.”
Ellis said he met with the Defense Information Systems Agency last week and has a “sit down” scheduled with the Navy today on CMMC.
“We are continuing this drumbeat that the services and agencies have a role to play in ensuring…the DIB and the government understand these requirements are important. We need to keep our eye on [the DIB] and we need to continue to get smart, stay ahead of the game and do our best to ensure that awareness throughout the entire acquisition ecosystem,” Ellis said.
The NeoSystems webinar also featured attorney Robert Metzger, who weighed in the changes to the CMMC model and the potential for lawsuits as the CMMC rollout continues.
Metzger recently spoke with Inside Cybersecurity on potential DOD incentives to encourage companies to obtain a voluntary CMMC certification before CMMC requirements start showing up in contract solicitations.
When DOD announced CMMC 2.0, they said there will be no CMMC requirements in DOD contracts until the rulemaking process is complete and estimated the rulemaking process could take anywhere from nine to 24 months.
If the two rulemakings are released in December 2022, Metzger said the earliest they would go into effect is March 1, 2023, which he said means there will be “13 months before any assessment is required on any contract. And there is reason for concern many companies will see this interval for 2.0 to do little or nothing.” -- Sara Friedman (firstname.lastname@example.org)